IETF Logo Mail Archive

Re: [radext] Adam Roach's Discuss on draft-ietf-radext-coa-proxy-05: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Sat, 03 November 2018 09:18 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02652124BAA; Sat, 3 Nov 2018 02:18:42 -0700 (PDT)
X-Quarantine-ID: <jlRBYjrRqo0a>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char 9C hex): Received: ...s kaduk@ATHENA.MIT.EDU)\n\t\234by outgoing.mit[...]
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jlRBYjrRqo0a; Sat, 3 Nov 2018 02:18:39 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D943312008A; Sat, 3 Nov 2018 02:18:35 -0700 (PDT)
X-AuditID: 1209190d-783ff70000004eb5-87-5bdd67e76820
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 6F.64.20149.8E76DDB5; Sat, 3 Nov 2018 05:18:32 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.14.7/8.9.2) with ESMTP id wA39IQJs014350; Sat, 3 Nov 2018 05:18:27 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) �by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id wA39IJTx011066 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 3 Nov 2018 05:18:23 -0400
Date: Sat, 03 Nov 2018 04:18:19 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Adam Roach <adam@nostrum.com>
Cc: Alan DeKok <aland@deployingradius.com>, radext-chairs@ietf.org, Winter Stefan <stefan.winter@restena.lu>, The IESG <iesg@ietf.org>, draft-ietf-radext-coa-proxy@ietf.org, radext@ietf.org
Message-ID: <20181103091819.GC54966@kduck.kaduk.org>
References: <153421241151.25112.5942779659969287406.idtracker@ietfa.amsl.com> <DCBC0F8A-E486-4844-8C7A-CCDEBD41A0E4@deployingradius.com> <0d9cc14c-d065-87fa-5ea1-f76fde1c9c2f@nostrum.com> <B33A4595-EDBE-41C5-9FD6-5EEACB6EEDE4@deployingradius.com> <b6c70613-40b1-9c78-ec63-927ffdffa094@nostrum.com> <44429A5F-F978-4D7B-8330-C6A665E8BF53@deployingradius.com> <680f1611-e86a-abd1-fb5f-63f27a265226@nostrum.com> <E586556A-97FC-4719-9A76-9201477CEDD9@deployingradius.com> <bb979dfc-8241-ffa1-876b-f833053d49e7@nostrum.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <bb979dfc-8241-ffa1-876b-f833053d49e7@nostrum.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGKsWRmVeSWpSXmKPExsUixG6novsi/W60wfkbchZ7/i5it2j63MRu Me/JU1aLGX8mMls87fjCZNHyaiabxbyGRnYHdo+Woy0sHkuW/GTymLXzCYvH8i6fAJYoLpuU 1JzMstQifbsEroy3ny8wFtzkqDi+ay1rA+Mnti5GTg4JAROJQ78ms3cxcnEICaxhkti07QKU s4FRYsvzM1DOHSaJjV/nM4K0sAioSDxesYEJxGYDshu6LzOD2CICihJth28ygzQwC5xnlDi5 Yi9QNweHsECWRPNjJ5AaXqB1145MYoEYOpVF4vufzUwQCUGJkzOfsIDYzAI6Eju33mED6WUW kJZY/o8DIiwv0bx1NtguTgF7ic0z3oHdIyqgLLG37xD7BEbBWUgmzUIyaRbCpFlIJi1gZFnF KJuSW6Wbm5iZU5yarFucnJiXl1qka6SXm1mil5pSuokRFB2ckrw7GP/d9TrEKMDBqMTDa1B5 J1qINbGsuDL3EKMkB5OSKK8zL1CILyk/pTIjsTgjvqg0J7X4EKMEB7OSCO+XVqAcb0piZVVq UT5MSpqDRUmcd0LL4mghgfTEktTs1NSC1CKYrAwHh5IErzQwCQgJFqWmp1akZeaUIKSZODhB hvMADdcEqeEtLkjMLc5Mh8ifYlSUEud1SwNKCIAkMkrz4HpByUsie3/NK0ZxoFeEeWtB2nmA iQ+u+xXQYCagwdF/boMMLklESEk1MCoqnet66nRd5VwG7/znFTs/iX06edZa5cuzbyzn7b6q MV7xVF3CsmIS23Y71sbcIyF5O5S7XhRurLqzuO3hjAnMM0VvbJeLfh96/9KWaQvvb/WdfZOz 2Ves7NtTuYTFDzkeLmyO+1zs5Z/KVXtFeDLfrn8CVv4JjCy22+eci/Y+3DOpYi17IJsSS3FG oqEWc1FxIgB2e7uHOQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/wGDPaOIHTKmRLXY6zxkQJH7HA4I>
Subject: Re: [radext] Adam Roach's Discuss on draft-ietf-radext-coa-proxy-05: (with DISCUSS and COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2018 09:18:42 -0000

On Tue, Aug 14, 2018 at 12:43:49PM -0500, Adam Roach wrote:
> On 8/14/18 12:31, Alan DeKok wrote:
> >    Any security issues with the contents of Operator-NAS-Identifier are largely mitigated by the utter crap-fest that's the rest of RADIUS.  Which means that it doesn't really matter how the values of Operator-NAS-Identifier are created, stored, or used.
> 
> 
> Perfect! That's what the document should say.
> 
> Mostly, I was taking issue with language that implies that there is some 
> level of security being applied to this token, and that the guidance and 
> mechanisms in this draft were sufficient to even allow doing so (see, 
> e.g., my comment on field sizes). Securing this field would be fine, if 
> done correctly. Leaving it unsecured -- as is done with similar 
> information in Radius -- is fine also. It's the middle-ground of 
> security theater -- and, in this case, RFC-2119-language normative 
> security theater --  that I think is dangerous.

Hi Adam,

Could you take a look at the text in the -07 and clear your Discuss if you
are satisfied?

Thanks,

Benjamin

v2.23.0 | Report a Bug | By Email