IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Alan DeKok <aland@deployingradius.com> Tue, 22 November 2022 15:37 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E167C14CE4E for <radext@ietfa.amsl.com>; Tue, 22 Nov 2022 07:37:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72UByvOeTu8s for <radext@ietfa.amsl.com>; Tue, 22 Nov 2022 07:37:01 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE2D5C14CEE1 for <radext@ietf.org>; Tue, 22 Nov 2022 07:37:00 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 37E4129F; Tue, 22 Nov 2022 15:36:56 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com>
Date: Tue, 22 Nov 2022 10:36:54 -0500
Cc: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, Bernard Aboba <bernard.aboba@gmail.com>, "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com>
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com>
To: Peter Deacon <peterd@iea-software.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/zBCwEfz2NPNH8Sp1wMN2MK2E5ZI>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 15:37:06 -0000

On Nov 22, 2022, at 9:49 AM, Peter Deacon <peterd@iea-software.com> wrote:
> What I'm not clear on is where in any applicable security standards are such algorithms prohibited in applications for reasons other than security?

  NIS SP 800-140Cr1 lists the allowed digest algorithms in FIPS-140-3: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140Cr1.pdf.  MD5 isn't on the list

  i.e. they list the allowed ciphers, digests, etc.  Everything else is explicitly forbidden.

  So you can't use MD5 for *any* purpose and be FIPS compliant.

> I am concerned with the idea of multiple seemingly identical incompatible versions of RADIUS.  SRADIUS naming in particular is likely to be a source of avoidable operator confusion.

  SRADIUS is a transport profile for RADIUS.   We've already added TCP, TLS, and DTLS to the original UDP-only RADIUS.  The potential for confusion is relatively small.

> Hey isn't RADIUS over TLS S(ecure)RADIUS?

  It's true that TLS allows for transport-layer security.  But if names are a problem, why are we using RadSec or RADIUS/TLS?  Why not just RADIUS for everything?
 
  For me, the point of choosing a new name is to highlight the differences between this transport and normal RADIUS transport.  Names matter, and names have meaning.

>  It connects ok but why does the connection keep dropping as soon as I send an authentication request? Presumably some operators wouldn't even have a choice to select non-SRADIUS and interopability would be impossible.

  Why wouldn't people have a choice with interoperability?  You're making assumptions without explaining why those assumptions are true.

  You're also assuming that operators and administrators have no tools with which to debug network connections.  I don't see that as true.

> I would prefer there be only one RADIUS over TLS standard not multiple incompatible ones.

    Please read the SRADIUS draft.  It explains all of these issues very clearly.  There are very good reasons for removing MD5 from RADIUS.  There are very good reasons for not calling the resulting protocol "RADIUS".

   Alan DeKok.

v2.23.0 | Report a Bug | By Email