IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Alan DeKok <aland@deployingradius.com> Mon, 01 April 2024 13:14 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8681C14F6E4 for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 06:14:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3plGfGJEQS42 for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 06:14:15 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FD44C14F5EA for <saag@ietf.org>; Mon, 1 Apr 2024 06:14:14 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id 9331D2A3; Mon, 1 Apr 2024 13:14:11 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <ME0P300MB0713DE85687893610B7E6CBFEE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
Date: Mon, 01 Apr 2024 09:14:09 -0400
Cc: "saag@ietf.org" <saag@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5B9DD4E1-76FB-460B-A68A-D7E085AC2E26@deployingradius.com>
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org> <ME0P300MB07133F7BB2C11FA027143127EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B57C85E4-D0A1-4E93-999B-12F712AA46E1@deployingradius.com> <ME0P300MB0713FE22A714258C5F2D95F6EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B51C0F05-020C-486B-8DFC-3FC94D42A776@deployingradius.com> <ME0P300MB0713DE85687893610B7E6CBFEE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/74iloFTe6TspvI3091qdAab-Ut8>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 13:14:20 -0000

On Apr 1, 2024, at 9:05 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> The devices are already on the network, RADIUS isn't doing any access control,
> or in fact anything at all as far as I can tell.  In fact at least one
> "RADIUS" implementation I've seen used in this situation is nothing more than
> some code to add the necessary wrappers on send and strip them on receive.
> Same with the "EAP" implementation.  The only bit that has any effect is the
> auth inside the TLS tunnel, and whether you get back an "OK" or "not-OK"
> response to that.

  Again, that design is extremely unusual.  You cannot take one limited use-case, and use it as the foundation for an extravagant claim that RADIUS is little more than a dumb transport.

  That limited use-case is not only irrelevant to the more common use-cases of RADIUS, I have to question the competence of anyone who's designed and built it.  As Wolfgang Pauli said, "It's not even wrong".

  I see I can't convince you as to how RADIUS actually works.  So I'll leave well enough alone, and move on to more productive endeavours.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email