Re: [radext] RADIUS/TLS with NULL cipher suites
Stefan Paetow <Stefan.Paetow@jisc.ac.uk> Mon, 28 August 2023 00:49 UTC
Return-Path: <Stefan.Paetow@jisc.ac.uk>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67FFEC14CF18 for <radext@ietfa.amsl.com>; Sun, 27 Aug 2023 17:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DdabTOaVlel for <radext@ietfa.amsl.com>; Sun, 27 Aug 2023 17:49:20 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2087.outbound.protection.outlook.com [40.107.22.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 680C6C14F721 for <radext@ietf.org>; Sun, 27 Aug 2023 17:49:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jiPcxwnjCg8tr2t3NQhF4vG04lvQiDJ9fHfL7X3jtBxODCrychanGoVPXc+821dK7AyAsSZH/qpUb4GCHtQkHCA2w6DeaN0WPDtO0+yPCYnQL7rt2X4f02uWSwBCNATDlKToyfglmt4urVL/m2w9yy/eaFiKuw8Q7hHCPjZYD0Lsvo/S6Hc8dSGl6XdjOhlvAzAGsyKKwtXI6CIF9avzfRTCyaDIJLwKS7BHR5EdItu8li1mtEjd1ArpGJRqT8YDvrNUJJry6vAU0XXy1cg/ClU0uOP2wQVONFnw5cbWrGy5b6YOplonxzSRgwutyBm2hbPoR8qCm99dDmcnT5AJeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WEDZUHp/jfzbbUFuK5Q+jJwu8X9feuV3xlWYpeMA3ww=; b=fTvLjBrq5wBlOTI+BjhYZDb60RA1ckaTT7A28oVC5cEDZmXDsBEKwe8oQGDhKZ6pSxPF1wPpfyOVJhFRMESZUsCutbUqI3tNqo43nyN37O/UT+Q8BAVXozuIu7Fz5LDGGiZZurx9elTm4kPnWhMvc32oqL1JA861dMXvjDvl/4EdzlayP5bT3PB6n3uxmwo+x1MxEx13qw49su9YQIKHQd6TIIaAvlu7DBb26OaXi5rEaJZ6gq0VGfgc6zSKxRp1QmQ6gL25/m6PjiIWRV3xT+80aBjpcBFPrl1xFJdoV2A2G0+zR2xL3uvdXLdGJdvyD3Xg0xtlrry3QQqUmvhX4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WEDZUHp/jfzbbUFuK5Q+jJwu8X9feuV3xlWYpeMA3ww=; b=ZQUBuTgnVDnl65XW+tB8CiDLf7C/f4fOvTH1Fo0aC19yrtYaJlCJrQhuu1AlhmYc3HKT81JrMBFfN/cDlIpgj7Oc7GgKDUMtqSJB48XcnTNDAOrDs3oQTwGwgOhF8jl4ATMUrhHdKmc7+fniQJ1FeY1ckoW+6piJNTBCyjtb4Xc=
Received: from AM0PR07MB4209.eurprd07.prod.outlook.com (2603:10a6:208:b5::19) by PAXPR07MB7888.eurprd07.prod.outlook.com (2603:10a6:102:13c::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.34; Mon, 28 Aug 2023 00:49:13 +0000
Received: from AM0PR07MB4209.eurprd07.prod.outlook.com ([fe80::d80f:2617:45f0:aed9]) by AM0PR07MB4209.eurprd07.prod.outlook.com ([fe80::d80f:2617:45f0:aed9%6]) with mapi id 15.20.6699.034; Mon, 28 Aug 2023 00:49:13 +0000
From: Stefan Paetow <Stefan.Paetow@jisc.ac.uk>
To: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] RADIUS/TLS with NULL cipher suites
Thread-Index: AQHZ1pn7YqjRfaqe20C1Aft3c6k75q/+9nsA
Date: Mon, 28 Aug 2023 00:49:12 +0000
Message-ID: <4516BEAF-3922-40F8-A15D-C3D648912D25@jisc.ac.uk>
References: <ACDF13CC-1529-49EE-8251-7BB7AEE9DED3@deployingradius.com>
In-Reply-To: <ACDF13CC-1529-49EE-8251-7BB7AEE9DED3@deployingradius.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.76.23081800
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM0PR07MB4209:EE_|PAXPR07MB7888:EE_
x-ms-office365-filtering-correlation-id: 4a4b9847-e6b1-452f-1bd6-08dba760991a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3os0PridZ4rgmXWWo2t9wNEX3l3vZPmsQvLk7uq3yx9z65X/V58aKqlG8fTkCKQJ77gc9RK2MoB3mw/QOTlEvDuaMzKMNXmbOmSSOGoGhiERjokiLwh2VfCsvuCcRkNzOuOxUCcVKAszeTLrQ2Jc5YEvDQnBXM1TlHbYi90Kv4G//g+ySDy+XEfqce1m3KmCQ7vZcoVqXnbPnk/EE8XCG0RwH/0cPB0TAJsM69M/9ec2bCB6J2o6qre3MYAcyWhYHy8LkWHIJedH8ZBNVNmHrih7zmw2sx4uwULT6AfTgcsJ1vPqBLm5bS1iMdeSsyGTq0qYyo7g+7sQVvck44bpZUtir2VA59ac+tEKrblKH1rrjrxMlq2n6WoehivQsJFFI9nMvt0+sWoN6KolwNH9kouspKts2bqEDor2MKbkG7aX2jMfVKO4Kttwoqc4Tf/3pPJnQkOU8giqo89g+EYYrp1P3NgK6CMTZlaXhw84RBICBBkoH3vfqSswS8byiqMmOycNsns4m1XDydcHmu6uavPVq2Bhz2WiAfNekwi51TRz75MU+Mr9NRuwDqTBtwFlgO+eqhvY8kVQfQ3FHdguuwYjuJqnbbk7V+VlkauE1wPVL23/cFYnqkdqq+LTOXzCXbnYgLV/lRFUoShITz1yZZFKDW35hZ3qgzclx38MNAyX5mKvNPXMDk4IXNDabwJ7sAAKqojRUFMd5+MhUhvq4g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB4209.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(39850400004)(396003)(376002)(346002)(366004)(1800799009)(186009)(451199024)(66899024)(76116006)(66476007)(66446008)(91956017)(36756003)(86362001)(64756008)(316002)(786003)(6916009)(66946007)(66556008)(966005)(478600001)(122000001)(38100700002)(38070700005)(41300700001)(2906002)(33656002)(5660300002)(8936002)(8676002)(26005)(45080400002)(2616005)(83380400001)(6506007)(6486002)(12101799020)(6512007)(71200400001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /YUvYFHCqs0uo1f+V/8ustp4S/SiYireM8K3W5IspYrBzdXydH9FYbhQ1QaPOms4V+Mv8R1ObixmE4+YkTQvNNXaBQHASCvEUWhHTOa3ynMfR6kmU/yf0B4HLMWeWleiGPUpeIgfXWOU6haU2X0sa38pRihGv0P1MtqQaDQF0r2pYKSS1vUfHpqk1nbm14pDmlbyNC0r0SBCHyvechAF1bGO2GHQ3jbICfsD3rNDC1NzWdTtQBRFaj+CbWlKKSrL3iZ74X80QDavViaPs6dtU/15DrxHJRh8Is1LCj59T3+slTK2fu5EeLCIlORBP7O0Ogt2ehg0ES3LsNYA+0lNZWnViEYLiOUUcBB3l3tr+ftIc69sV+U0ibDkycFHji7HXZ4WxIY2mvkEeDBFwzYAeIKhu1bHIovxPsYo5H3HCkOzW5Clftf5irBjLzCGv7T3wuWbcbJgytVdnBuF7eXzCbgllR0trz0O/mIxpDCuZqzljMJMU1aAyUO0MtdDvTsTSM8i/inF8uPg0/nYZISz8I6k1tS3N23Zgo1CfVbbnjZwTHPSW3qCd8NRb4MMIsyJnlBO2v9jYvAxbGghkY0LaVd2DlnrQAIZcYxKldOERg+CzQ4OMvZUQGmD4QyPcP69RQx5JfKYNbG/L+8qZX9WtyZglUHEaImkFvHjfxoPn4K9Nyzcd7Y2CiaQO1yAl6TaE8NidZWvmIOQgnfB8nciD7rofCv9hAItdkAjUHtQLNbgZ5xI9Rj3k3reIynsFhJyrHyCxdpWirZAwLePc5p66mDmE/+7kIAl4NUOj3NjYkUY1qxa/i5HAY/AcblAgHsfbmWIdBLLKF5kAPwIlHpZYDAMUnwvEIqRI40weWHhJ6LQGXc0+MufRF2jq8OLSJPcbdILv7L57mOc1LA9luQswhKl6vJ9mKlU8PNyBsMFjB6i7u9+mtSLP3gLo3fii5h25aFMgQmqAKQYddjI8JpR8CrJDhktE6OT5jSG5k6MgNj7LJsqDctkZ1w/rGoYcMtBCW1AxyRM8hg9FGFBcOiOc/ydWC5t3HD6O99zi4r8RbnoF95zY22lLIXbPAuINjxsGaqk5r/00s6Mq55cM9Hog3THaGTFoTmjehDVBkLNTm98Ntd0vbslTXVMYENOpME6N8foLxl44PqagDjdjjIfXQu+3Ig0NTXrSEJnI/8onv+NOB4z8QrLCjaDNeuLQ9QzirMaUdI6EBZUxOisrmmLs4rlZ3FAKdWvL8J+Lddqtub1vhSqq08HPxEvslt4fbDwzmCRfsuzdCy3R4UHJQASJ2zMXexKcZzL1i92wnHbocRhJ1IqOz3ZSpYgOD4WZZzmY+GTpJsSLi/HPIFPi9ug+TRWgduK7mm/7Sk8BDox5s1fOjScTssQFGTevoAhIJvusUnSzZ6vM169FgW88BgDQ3ssD1EPy5kD83jichTtTGVuBrLVK5IzTzivXCsWmORonT/QUOZK+CS621/8+rVwzPJYyxm7lfhhwtbvPQ++hAjvKLb74CEHOUxPlmzmIatEGoUtVcsvq8+6N6eGx93U5vjD6JKOvOgdgajBDOOTylHIhLAMWIinfth09/+rjOM8fAW4OK3Gy3uVnY9d0mQ3sQ==
Content-Type: text/plain; charset="utf-8"
Content-ID: <006FD3D0178CCE42A20988CAA64880C3@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR07MB4209.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a4b9847-e6b1-452f-1bd6-08dba760991a
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Aug 2023 00:49:12.9907 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xH/XYOd5a9YUuzvFapJIK37AwSe//qNZ5wpb/ARSOnkrQOzFUxFm0vzxqn+pUL4B6a/202jNXDXdPryBE5M5Qv3mmvfpPmfy17E5pwQyyww=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR07MB7888
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/vc3vOWPrmlLyXAEZjVSOMiv3A3A>
Subject: Re: [radext] RADIUS/TLS with NULL cipher suites
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Aug 2023 00:49:24 -0000
Just out of interest... Do we know which directorate inside the EU is responsible for this? This definitely should be raised there. I guess this is industry (SCADA industry to be precise) trying to head off regulation of their systems security? It's daft to say the least! :-( Stefan Paetow Federated Roaming Technical Specialist eduroam(UK), Jisc email/teams: stefan.paetow@jisc.ac.uk gpg: 0x3FCE5142 For eduroam support, please contact the eduroam team via help@jisc.ac.uk and mark it for eduroam’s attention. On Wednesdays and Fridays, I am not available between 12:00 and 15:00. jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800. On 24/08/2023, 15:48, "radext on behalf of Alan DeKok" <radext-bounces@ietf.org <mailto:radext-bounces@ietf.org> on behalf of aland@deployingradius.com <mailto:aland@deployingradius.com>> wrote: I ran across this recently. The EU has "power systems and management" standards for RADIUS. Think SCADA && associated systems which do command and control of industrial equipment. That's good, right? IEC 62351-3:2023 was released recently, and contains the following gems (summarized) Table 9 - TLS 1.2 usable cipher suites ... TLS_NULL_WITH_NULL_NULL disallowed TLS_RSA_WITH_NULL_MD5 disallowed TLS_RSA_WITH_NULL_SHA256 ... Uh... what? NULL encryption is allowed? Couple that with the people using the default RADIIS/TLS secret of "radsec", and this proposal is *worse* than using RADIUS/UDP. The User-Password fields will be obfuscated with a known shared secret, making them visible to anyone. So for 6614bis, we need to forbid the use of NULL cipher suites for TLS 1.2 and earlier. We can't fix this specification. But we can issue our own counter-specification which goes "WHAT? WHY WOULD YOU DO THAT?" RADIUS is a never-ending source of joy. Alan DeKok. _______________________________________________ radext mailing list radext@ietf.org <mailto:radext@ietf.org> https://www.ietf.org/mailman/listinfo/radext <https://www.ietf.org/mailman/listinfo/radext>
- [radext] RADIUS/TLS with NULL cipher suites Alan DeKok
- Re: [radext] RADIUS/TLS with NULL cipher suites Stephen Farrell
- Re: [radext] RADIUS/TLS with NULL cipher suites Alan DeKok
- Re: [radext] RADIUS/TLS with NULL cipher suites Michael Richardson
- Re: [radext] RADIUS/TLS with NULL cipher suites Stefan Paetow
- Re: [radext] RADIUS/TLS with NULL cipher suites Alan DeKok
- Re: [radext] RADIUS/TLS with NULL cipher suites Alexander Clouter
- Re: [radext] RADIUS/TLS with NULL cipher suites Heikki Vatiainen
- Re: [radext] RADIUS/TLS with NULL cipher suites Alan DeKok