IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 02 April 2024 13:50 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03184C14F681 for <saag@ietfa.amsl.com>; Tue, 2 Apr 2024 06:50:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XPauTDyK7ZMG for <saag@ietfa.amsl.com>; Tue, 2 Apr 2024 06:50:53 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 827FAC14F6BD for <saag@ietf.org>; Tue, 2 Apr 2024 06:50:51 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2232.outbound.protection.outlook.com [104.47.71.232]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-16-z2uPsrmxPT-xbHN877Thtw-1; Wed, 03 Apr 2024 00:50:47 +1100
X-MC-Unique: z2uPsrmxPT-xbHN877Thtw-1
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM (2603:10c6:220:229::18) by SY8P300MB0747.AUSP300.PROD.OUTLOOK.COM (2603:10c6:10:299::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.26; Tue, 2 Apr 2024 13:50:45 +0000
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974]) by ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974%5]) with mapi id 15.20.7452.019; Tue, 2 Apr 2024 13:50:45 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Jan-Frederik Rieckers <rieckers@uni-bremen.de>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] RADIUS is deprecating MD5
Thread-Index: AQHafhhYd6Pp6wDrq0CYMT6Bf16QJrFRtYpBgABGhQCAAASugIAABbGAgAAFHYCAAAmYgIAA8+79gABYsACAAAN3w4AAAZAAgAAGxBuAAAM5gIAAAZHjgAALrYCAAY3Z/Q==
Date: Tue, 02 Apr 2024 13:50:45 +0000
Message-ID: <ME0P300MB0713F3FC6C7BA28331EBC315EE3E2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org> <ME0P300MB07133F7BB2C11FA027143127EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B57C85E4-D0A1-4E93-999B-12F712AA46E1@deployingradius.com> <ME0P300MB0713FE22A714258C5F2D95F6EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B51C0F05-020C-486B-8DFC-3FC94D42A776@deployingradius.com> <ME0P300MB0713DE85687893610B7E6CBFEE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <5B9DD4E1-76FB-460B-A68A-D7E085AC2E26@deployingradius.com> <ME0P300MB0713F57E1F1556EA9BE0CEF7EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <c31908d1-c979-4b96-98a2-74e252580813@uni-bremen.de>
In-Reply-To: <c31908d1-c979-4b96-98a2-74e252580813@uni-bremen.de>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: ME0P300MB0713:EE_|SY8P300MB0747:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: QII2vygnTyzDSZYjR32matuTSGyf2eNnsRW8B5vA73HJK6p/Y7oUWQOAgIHb3g112kr9TvS0QtMkrbmRAV7YLuebbMIxVN+62674MxeLYhIJeHIfDOfOuPN4Vf1dd74rXSw7IIf2Cx9ZB/xeMNFEBEcQmU7qwCnKcFm5/IE253WTnmHsS80mj+LaYLFNHLLyNPDrQ4uPh4lUM4Zeyq/nQS91iCKMLNxSXtlQ38wCdopEEXt4cBEk5bHp2Bo62SC0DeqsaFqz+b00ownUJh0JDAMcOS4Pju0hkqqmdtVECdE/PAwR3s71d/AMMbmLsyb7OQGq9M5n8C+mWwpcn4hJ72WqUfwU1m7Dkb3u8ow1MZrPVbrmfg/hDRd7K9ocJD4aKYz1kw+k7MEnBETZZrPTVXSKRqYLY3BY2ce7ZqH2ZKM9GYvNx9bKt4mvvRjNVkciJoMxVF0473THlZ7ykuON6UcTV6v7GinzStWF6aXVw/Zg47M1W7mm8xm454pbaEkvdUL8pwGctj6kHY/l92Y3SEKFS5nQyZLvcRaA4YNTcD7Qin7zoKPZl+K83mvPm4tgQGklLDnZzSpDY0byv3k9fGvyt8IGLKAew4Hb9Q9kJj+u7Kis/ePDK8684iAFi4hn61u3+CuOOd8DnVo0KJwyA7WgR9+P/TC8LZyAXhAkUV8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366007)(1800799015)(376005); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JeEY4WslroShIojN8uBhY2SMFoZ0CJSTGmlE8Jr2RGEbrpMfxGD3XG53I+5bk++om12YRwEmGQevMZd4QH8WJI/IvcoMqKRQb4sX3wyhNv3qcjDaewg3KSixlMcI6mylYoD8GiI6xml0lR9cAyAcz5JkXmpOsBGfLF9uXOcRalpzCNM68WXyUvDcC56zfp/2Qhx9gjMKng/IJnXEPxi5/dkuBVvOvKtJQvLf9Yc/T2WaRSF9i8J/+pyJZdwundPpL4s5eGPLHLSyDYSH86SnazO9ks5h9CIAV2bjvQj8ewh4A0HEOB27aY1sEj4tDzz+zqtIS7dAhfdSLc8NLxLOzkYB0F2cT3H+hJgP3cS/d8IM8TwR9t7HssJHx1HrBKXqszHNUobjtUD2xrIYPfIzoH1f/UPNAkxYgzvT/rWyMyrygK3q+UcVVNIPem41l1HynYdDQon4dz7l4Z1VOPMT0iBhpImCgd+yb0DAiPGBTS/U/BQRw+6yVLCD5hMN5wr3icAOUUE0w3pAoO0ighR8X3T8JQBoF0xwpDVOhUoS30RiF2qsKFeLKttgZBUMdqY1ZSC1D40668Qss6lWwyMrBHfjgpyIGWM1HQbMT4YWRZPEm8Fb/ChgxXmnsICq7PHhPdswM/T+jk6oyWVv4JUxqRsKSniashE1KLyL0OHwIXds8iNF3UJ79osIwMYX2tgYStTU2Tda9npBNvZ9ikzrOV1E6v4d+c02c+mDvp+LuDeOB21MfXx2qJnl7Y+ZNPpT6pldci2aIa7ScNweJogzFC0xk0DhW7LWD0OyElMnXyAmRBHSr1ioc30ABNjV8IpCGS0y7jVSOI4uN66o67uUD7GQwyKrXLZj+2ObL03/VupWK34UaoUZM2PSk1vma7VApbWd0Ohw/cUROsBjkBWXbVwAfqQMgeFptWwiBAddlKlk7krivaQWrvQw3mQpqDLSfukKb3vrdxZOfgTnw9tAbEvpBQ8GjTnNX/DeJy4raFTG9kNbxZv3qdV8lNzS7CJeV0zAMSa7heKhxQc8jEKXOoZnTvh9ZVkdPDphrXajTzPkdbKNaWR8/q9EfJAsDPyO6Of5FMh91frRbZGJDINxDb99n5F5gk80Bw08x3abEN3DG1aWqnDYx3b3Pr5dV6k6OfIJO1G1jxqkkW6+o0uRZjSjO3GTn+zSmUQRGNv1oZA+fmpbiZNWJSHNtCI1J2CFof3A3oYA9wiaQzxuxT8iEAearznar/wmn9rAajchP7CjIBl9j55mzLymGKcagMnQ7Ay7ZkXGrskMDUieRPt5YsdouV5VbpcxzrAP67NwDSwMzWOeOzBZY0c2Wih0sovxj1D4jpBFcvgSyl/YAbl8/g81XFCmmpSqL8Aya5NabmeZYu9r0E5Depdo+NzV/Pvxi742N8/sdgasmDJO0vhwu+wqvzQBfP6arrEZNuXzQB478wGOmHetdJLaX/brujwOe/RmM7JuWz8VRa/akOTQP3wKeqTa3aGWsyvTALVH4xeMDho3PlPXCTglC3baS3d3HDqUBTtOhx1qrDbaytQIN0hWg1sfIK/f4Y1T3Y6Ey23e2R1+IHYupj3T5ah1eQiAnE25TZymNnwpU5wb0/jaDw==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: cfd345eb-254a-4faa-d634-08dc531be56c
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2024 13:50:45.7947 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oHxQxSmpg//vb0K9JLZV1DY8qH4j6kC/yLnK1ZC0psSzp8GBkEiimwXVOCt2y2WP7qUFzQwmTRMZGl+TdVnEV2o9g86fI6ciuJCl2/fJnz0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY8P300MB0747
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/6N-pNjZKzjZJWaX0NuIVO_zy77o>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 13:50:54 -0000

Jan-Frederik Rieckers <rieckers@uni-bremen.de> writes:

>Alan is the main developer of a widely used RADIUS server

I know who Alan is (I've been on the FreeRADIUS mailing list for years, it'd
be hard not to know :-), and I know he most likely knows more about RADIUS et
al than everyone else on here combined.  I also know how RADIUS et al are
supposed to work, nothing like Alan's level of knowledge but at least what the
RFCs and texts say, i.e. how it's *supposed* to work.

>You insist that RADIUS is used in this one use case that you have in mind and
>that the other use cases are negligible and/or that people who use it that way
>are dumb.

Uhh... I never said anything like that.  I mean there's nothing remotely like
that in the feedback I sent, just "some people use it this other way, have you
considered that?".  The point I've been trying to make is that like other
universal-hammer tools like TLS that get used in ways the designers never
intended, RADIUS gets used in ways other than what the textbook says.  My
concern is that creating an RFC that assumes it'll only be used in the
textbook manner won't accommodate uses in an other-than-textbook manner, of
which I gave one example that I'd encountered.

And to Alan: Apologies for the personal comment, I just felt like I was
beating my head against a wall trying to provide feedback on the draft that
wasn't feeding back anywhere.

Peter.

v2.23.0 | Report a Bug | By Email