IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 01 April 2024 07:04 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA81C14F61C for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 00:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xiDzJO3ZOGWa for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 00:04:13 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37A4FC14F616 for <saag@ietf.org>; Mon, 1 Apr 2024 00:04:12 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2233.outbound.protection.outlook.com [104.47.71.233]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-54-7w5Uhq0BMxuatgceRAE95g-1; Mon, 01 Apr 2024 18:04:09 +1100
X-MC-Unique: 7w5Uhq0BMxuatgceRAE95g-1
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM (2603:10c6:220:229::18) by SY7P300MB0365.AUSP300.PROD.OUTLOOK.COM (2603:10c6:10:28b::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.20; Mon, 1 Apr 2024 07:04:07 +0000
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974]) by ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974%5]) with mapi id 15.20.7452.019; Mon, 1 Apr 2024 07:04:07 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] RADIUS is deprecating MD5
Thread-Index: AQHafhhYd6Pp6wDrq0CYMT6Bf16QJrFRtYpBgABGhQCAAASugIAABbGAgAAFHYCAAAmYgIAA8+79
Date: Mon, 01 Apr 2024 07:04:06 +0000
Message-ID: <ME0P300MB07133F7BB2C11FA027143127EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org>
In-Reply-To: <ZgmPg0qgA9stSeUo@chardros.imrryr.org>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: ME0P300MB0713:EE_|SY7P300MB0365:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: ykcZz7LMDCf8leK82uxEnQNbPh/LmsYvcCE80ng97A0zhagq9d0yOUKgi81PX4l7PsI0t415sgg95gHDhxMDWDH152WN7wfopF3OX4yv1I7J0BrjO74yn06LlLphM/YwKOryAayHuCE/+zdrDrBBlRit4XAXOOgaC9uF3hGYsejOVtQRFSYcoDrXj+GxqjPtJE+5Pswvxovx2bHdV1UV7DOjhIqwZESff5IrWhsLTi6F3wFTJKg+NXL0nxy7XcL911Y5T9bKLjeTmvs0/DC70GB9TTQKCuvBSM9tVzJBTNmqIMhh2TBs7syFd90eEd4UBoYzGc46mCFK/j7nF7ST7DxAfTjwtKhTcWCRvYmXYmF0GQl2EGP5BXFmDMRCK8FwKRZp+OjMJKuSd44D9/ZeRXjU0VCXQFBZvtqZ07M4rNH22GMljGJ3/r7VOesJML4/ARs04ZZpLE6MhJSmXp/J2UxC7HBs+l9il72A9mtZzOfUzKeMjhpVEqMui6wHNI2xmwwBRazJ4V0FlFX+sMC3iq5smXhb0mmnMbh7GAF10urbT3l2O0edZnoPdkCo4CxdzHtJcAueAAwngweP99SgZgdhxKQ7HAMVvWKPGpEwTMqPf1NhMxlb/naSHhHtSF8x2bbYa2zirwGXG3kWdoeumMVUu/e/E/bpx1GUG17KF6E=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366007)(1800799015)(376005); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: HdnBNCFI13XT3E6rBH9W2ZhYjBGf1Q47qHc/bHEriC7R8WzjZC/3bxgrZbgWYNg4P7nU0pRbrQ7fjxpMYfFlEhdkU1DT1sJUnBitJK0f9np+gQUgeIKNzcPRs1Sa6rwHfg/PEBnd6yxDpbS9JBRdnsgwUjxawqWMDLFCzTGXsOT/8vr9WZPO4Rh7qWDAt7m2ekuH8tm8ZXdhds1zwrBhSGQABN0BniLFwBJeolwNjAq3iwzdRDUkzpjcAeCL54gMHie5ihuaZzQBGGvVThuItreVzf+b/zvDkZa4K7jOnYpPJKQn0dSHwcDAkEB4WBrf9L1i4ol17qev8HAoa0iimZrLFxz+ge/SvZwYqBYeD4Ge48gXAHetCcj4pdd4Bh6isb073CKqV/C7gE8KJkECG8pzal/9LtZGy5lz8AQays+zACwlN9aJv+PRwYWlXozucaiKV8VAMAYCWfkx98fxkcMHyjOzld3FTixAZ5CeE+LyS7f9NLAojOfqwQSauLti4h/VqGYqGiUiMrh4q1IP/qVdUNaUU9x1pqWbwH9Hf4po1S/M2Ecp/Ibx3Gd5Zi/lxthbnAb36N55uTkhXvRZ2H4EFAsKOlPOSTNMxaPMiOP2A9hnASxhlHkKttqy4qjVu27n2q/fY/2df9KhWClwpBG9T49IkEJ/WrREzrAy4wDrVISEvLByT+a+0F9Mxxv041bmK4T9c1sF3POMBAXMxGRRePKx7O6UyoFLNN5SkA+/t9pA7UYUbshlKbgGsUa+L5Jmj1YDIBCZeS/onKskca+0AsGCjXb8N6IKKbqcxbV11YdU7m0rVK1ycxB3w/F28SQkYcb1aAbqY6wEHy9kvTdfqj5TvUeHczO5yHa/R29HUdj71pYWBdjYs9HlVb2ZO3jl0UhTmvSJ9+W53W6QA8ZLmHeh4gwx+F7vuI1h3o0Ob4TGuSugNQdI25N3ilRsOZMVwDa4hAUQu+jK0k1+gbv/F85pcp/R2xnyjNghoOnNfXxkM3ocs/IeSqC3jFRMVUfCZMcrA/XI8BwxdBgI6OP7EY8UgazOMMeUgLTAy78zmoOSsQgGyia4hgwFOghrw45jjWUzru9KtWlhGbcqCEcFJYITtCZfxELr0j6EYwyQnLxpNTq7WmdZ9i8LzOtLsksYlyr5Sb/ewcnLhjsyjfA/wefHiBTdjAsqb7yGqZm8u1M79o/BXl5YLXSiuD6eaRxWGZDIOdNYwRkUEYcTPpO1mqS313AQ/UC0YQJilQ2xnPBtwHg4SVTQW0w7CVlVA4ZUPulHlXQH151/ls9rUwSVDV1qeq68RtTA16bxcixECOFJxI900NDpaoOShbg55PyNShMSmWpuMWLdgMGv8Cgr4JPnFsRgQyPhqUlm+m+5UsFa4/asWR9jiv+9DuMEEc4xZwNx/VdKfrjztuCqhRFSkVJpRKPhhRXP0FlFFjoyeReAgNamsCsckwY78Fgz2tshvxZW7gm4yNXvRZPHChlsvJBbieF2R+qz7fymDpIC7jh7sxF7aGMAGOzx9LQGKF6GayxfUQ0ZRojlvHCuUsmXyW+bYVSMKmRbLUlHPEMEpCpDBQi5TlWo0FujvYsTI1kqasOqg6lspLB37j2Zhw==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4802ed47-3545-4b2b-b9aa-08dc5219ec31
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2024 07:04:06.9647 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mS/yp2cKwzpgjvuY/xGq2BNv46sEMMgypQJ6o0/BG8X6Mi3fP6eUogdqIMCQjwaNc3GI7mFH6Q3I29OnsdA/xsdB77Z9as//xvPwK41XBlc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY7P300MB0365
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/0JeZ1kuZtIQ0oosWXuE2-u_ijDQ>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 07:04:15 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org> writes:

>Others can speak to whether or not the deprecation is or isn't overly
>disruptive relative to the benefits.

It depends on whether RADIUS is being used for authentication or as a
transport layer.  As I've already pointed out, with RADIUS-for-transport
there's nothing to fix because RADIUS isn't doing anything that matters.

For those who aren't familiar with how this works, the layering is as follows:

UDP - Unreliable, and fragments
RADIUS - Fragments again, but differently to UDP.
EAP-over-RADIUS
EAP - Fragments yet again, and differently again.
A turtle
More turtles
Four elephants
Some form of TLS encapsulation, e.g. EAP-TLS, PEAP, etc
*** TLS ***
EAP/DIAMETER/some mess Microsoft invented
The authentication you're using, often MSCHAPv2 by the time you get here

Of all that mess, the only parts that matter are the TLS tunnel and the
authentication run inside it.  Everything before the point marked *** TLS ***
is irrelevant because its sole purpose is to comply with a decades-long
accretion of unnecessary layering in various RFCs.

So when RADIUS is used this way there's nothing to "fix", since the bit that
matters is already being run inside a TLS tunnel.  It's only when the layering
is:

UDP
RADIUS

that there's something that needs fixing.

Peter.

v2.23.0 | Report a Bug | By Email