IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Jan-Frederik Rieckers <rieckers@uni-bremen.de> Mon, 01 April 2024 14:01 UTC

Return-Path: <rieckers@uni-bremen.de>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3673DC14F70B for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 07:01:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uni-bremen.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYe024yvn-D0 for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 07:01:44 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A87D1C14F6BF for <saag@ietf.org>; Mon, 1 Apr 2024 07:01:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=uni-bremen.de; s=2019; t=1711980099; bh=67gScjVRT0uF2r2TctlAteiAnyiHPU77ang9e5ZIWpM=; h=Date:Subject:To:References:From:In-Reply-To; b=CICg2UkMCLaaWFdCxQhgN2Wqc2hSZvVGLKEhFVEEcHdT9SDr45G/TWKqkLRub1GZW Uro8ao+9rumg9rGGJGu/lqdgjQaURNY2UJ9kiYDIM5bowviRnqTGZ6Siyl002vyfNe JSylUM2fysmFibqJ5GBvWmZSybsvl2Eujy66uOxmtZt3KeSlwE/iZt+SdaWijjRjwv HE7GmBXcNoQForOlZbeP0VNmmsNJqy0MKNTw9R16kbPHs0Pcb/qDe0xSinStbySfbR 3q9CtNBoqBzpsg7ug3mRbY6BHxsPZc1dm5GhVYQIN3Rv0ZaIKJeLgRg+M5mOMhxSBH zxx8CtHCFr4dA==
Received: from [IPV6:2a02:8106:57:952a:1c8e:df6a:b2a4:7ff9] (unknown [IPv6:2a02:8106:57:952a:1c8e:df6a:b2a4:7ff9]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4V7XkB5jPxzDCcT for <saag@ietf.org>; Mon, 1 Apr 2024 16:01:38 +0200 (CEST)
Message-ID: <c31908d1-c979-4b96-98a2-74e252580813@uni-bremen.de>
Date: Mon, 01 Apr 2024 16:01:33 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: saag@ietf.org
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org> <ME0P300MB07133F7BB2C11FA027143127EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B57C85E4-D0A1-4E93-999B-12F712AA46E1@deployingradius.com> <ME0P300MB0713FE22A714258C5F2D95F6EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B51C0F05-020C-486B-8DFC-3FC94D42A776@deployingradius.com> <ME0P300MB0713DE85687893610B7E6CBFEE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <5B9DD4E1-76FB-460B-A68A-D7E085AC2E26@deployingradius.com> <ME0P300MB0713F57E1F1556EA9BE0CEF7EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@uni-bremen.de>
In-Reply-To: <ME0P300MB0713F57E1F1556EA9BE0CEF7EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms050407040802020606000602"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/39dxghFg2kU3eypTHdIXbJMe4Co>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 14:01:48 -0000

Hi Peter,

Sorry to jump in here as well and double down on what Alan already 
wrote, but please, try to actually read all of the mails sent, try to 
understand them and look who's writing them and what's their experience 
with RADIUS.
I've tried to write a good explanation, but I don't think you took the 
time to actually read that.

Try also to understand our point of view.
Alan is the main developer of a widely used RADIUS server, so it would 
be safe to assume (and I know it from personal contact) that he knows a 
lot about RADIUS and where it is used!
I'm working for one of the national roaming operators for eduroam, and 
I've been maintaining the eduroam setup at my home university during my 
studies, as well as a related setup which used plain RADIUS with passwords.

And most of us who responded, Alan, Bernard, and I, have tried to tell 
you that there are other use cases of RADIUS out there, and that we are 
thinking of those use cases as well.
So if someone is doing the "Lalala, I'm not listening", then, I'm sorry 
for being this direct, it's you.

You insist that RADIUS is used in this one use case that you have in 
mind and that the other use cases are negligible and/or that people who 
use it that way are dumb.

It's one thing to say "Ok, I don't see it your way" but that's not what 
you are doing. You are completely disregarding every reply.

I'm happy to discuss with you why you think the effort of producing a 
document that deprecates insecure RADIUS practices is a bad idea, but 
for that discussion to be meaningful, you first need to listen and 
understand what use cases we have in mind.
And if you say "Those are not real" or "That's not what RADIUS is used 
for", then please, provide us with the grounds for those statements and 
don't just refuse to accept our statements.
Our statements are based on our experience with this protocol, and just 
because you haven't seen those use cases, that doesn't mean they don't 
exist.

Cheers,
Janfred

On 01.04.24 15:27, Peter Gutmann wrote:
> Alan DeKok <aland@deployingradius.com> writes:
> 
>> I see I can't convince you as to how RADIUS actually works.
> 
> I know how RADIUS works, I'm pointing out that it's used in ways other than
> the way you imagine.  You're responding with "lalalalala, I'm not listening,
> I'm not listening, there's only this way, nothing else exists".  This doesn't
> change the fact that it's used in other ways than you imagine.
> 
> As for judging the competence of the people who built this stuff, what it's
> being used with predates RADIUS by many years and it's still going so I'd say
> they were pretty competent.
> 
> (OK, it's actually kinda messy, but it's kept the lights on so at least it
> works).
> 
> Peter.
>

v2.23.0 | Report a Bug | By Email