IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Jan-Frederik Rieckers <rieckers@dfn.de> Wed, 23 November 2022 09:38 UTC

Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FD1C14CE4B for <radext@ietfa.amsl.com>; Wed, 23 Nov 2022 01:38:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5EhhW10FsL6q for <radext@ietfa.amsl.com>; Wed, 23 Nov 2022 01:38:03 -0800 (PST)
Received: from c1004.mx.srv.dfn.de (c1004.mx.srv.dfn.de [IPv6:2001:638:d:c303:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC083C14CE4A for <radext@ietf.org>; Wed, 23 Nov 2022 01:38:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:subject:subject :organization:from:from:content-language:references:user-agent :mime-version:date:date:message-id:received; s=s1; t=1669196275; x=1671010676; bh=nWU7rtPj8SqEZFUvjp6gdOwBFUft9sKFuH4bknWqfvE=; b= S1vCPskAn/uyAm+3z06C9eJaf87Y0ETnrIHIffDbzfTnIgo1VXTcP7AYTWvgOHhy Wtd+bqS3cHuPKWuQXILUfgRPlUDxO09GUWgzqhkOrkHfsnz0+rRgSJy5r+7UJ1ug vmJj1aAHrWkjL82cFJSr4aQSVK+WMYYU6BK2d1HY+54=
Received: from mail.dfn.de (mail.dfn.de [IPv6:2001:638:d:c102::150]) by c1004.mx.srv.dfn.de (Postfix) with ESMTPS id 4DC8D1200D3 for <radext@ietf.org>; Wed, 23 Nov 2022 10:37:54 +0100 (CET)
Received: from [IPV6:2001:638:d:1010::1004] (unknown [IPv6:2001:638:d:1010::1004]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.srv.dfn.de (Postfix) with ESMTPSA id F17EA103 for <radext@ietf.org>; Wed, 23 Nov 2022 10:37:53 +0100 (CET)
Message-ID: <2f8a0921-2e9e-751e-4f5d-42c5c9c3cb8a@dfn.de>
Date: Wed, 23 Nov 2022 10:37:51 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
To: radext@ietf.org
References: <4ce6d292-bb34-5dd7-7b8b-d43c282658f1@iea-software.com> <329FE6EA-C1E6-4E16-8D0C-A68C32B67FB9@gmail.com> <FC5C81F9-FEB5-4F9C-9A02-36837B7ABC09@deployingradius.com> <CAOW+2dtANzJDbAjmhHiz_m1pkk+SyfHu5uZ_ddp4PPMi17=0-A@mail.gmail.com> <E59F655C-ADC3-465A-BC9E-4445135BFE97@deployingradius.com>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Autocrypt: addr=rieckers@dfn.de; keydata= xjMEYS90/RYJKwYBBAHaRw8BAQdAWXYFYTJZD1YR1SztUNqHenPGnf+gdQe/9LjiHlr2XATN J0phbi1GcmVkZXJpayBSaWVja2VycyA8cmllY2tlcnNAZGZuLmRlPsKWBBMWCAA+AhsDBQsJ CAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE/fv7DCp4WBOrb8RyDYuiXSS+ypYFAmMXdJkFCQNL 9JwACgkQDYuiXSS+ypYZhQD+IvXSlzMB632TceTFUZ66vWijHZA9TymKjM27QzxjCcQA/ilb zGnQRFxRvpqGeJCwK/9MP9CZyyUjgAPQBaZNoTcOzjgEYS90/RIKKwYBBAGXVQEFAQEHQBxo 6esD49rxn4d3su5fJJL79XjfKNy26LiFE9Gpg38+AwEIB8J+BBgWCAAmAhsMFiEE/fv7DCp4 WBOrb8RyDYuiXSS+ypYFAmMXdKIFCQNL9KUACgkQDYuiXSS+ypY8IwEA5hkI+oA2pFmD6zXj rULCT+G9o8A5xSkMZBiw6U6yKcMBAMpTki1h4qCwaQR+hvt1rNjJr4ISUtd+ErlHlPWsxIgI
Organization: DFN e.V.
In-Reply-To: <E59F655C-ADC3-465A-BC9E-4445135BFE97@deployingradius.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------reC0P5IFBUunT7Fg30rw02PU"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/w_e7uTY5_Y9Z3YIdPDr6-yJUTmE>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2022 09:38:09 -0000

On 23.11.22 02:13, Alan DeKok wrote:
>> And given the low deployment and implementation of RADIUS over (D)TLS, "existing deployment" doesn't strike me as a good reason not to.
> 
>    It's low, but it is used.  I'm wary of re-defining existing protocols.

I wouldn't even say it's low.
We have two roaming consortia which rely either partially (eduroam) or 
completely (OpenRoaming) on RADIUS/TLS, partly with dynamic discovery.

Re-defining RADIUS/TLS without MD5-usage would mean that we also would 
have to specify a way of protocol negotiation in Order to have an 
upgrade path, otherwise these consortia will stay on the old version, 
because otherwise the whole consortium has to switch to the new protocol 
on a flag day.

SRADIUS is a good way of addressing the problem of MD5-usage in RADIUS.
Whether this is an actual problem or just a suspected one doesn't matter 
IMHO.
The hassle of explaining why MD5 is OK in RADIUS, as long as the RADIUS 
packet is then encrypted and signed by IPSec/TLS, justifies the need for 
SRADIUS and having a new transport profile with different default ports 
is a good way to have reliable interoperability and a good and usable 
upgrade path.

Cheers,
Janfred

-- 
E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370
Pronomen: er/sein | Pronouns: he/him
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education 
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
www.dfn.de

Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | 
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729B | USt.-ID. DE 1366/23822

v2.23.0 | Report a Bug | By Email