IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 01 April 2024 12:33 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6857FC14F6E1 for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 05:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-2RcXK-5Vvd for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 05:33:24 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 483E3C14F6BD for <saag@ietf.org>; Mon, 1 Apr 2024 05:33:23 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2233.outbound.protection.outlook.com [104.47.71.233]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-98-EjzJovX3Orym3zkw03I9xA-1; Mon, 01 Apr 2024 23:33:19 +1100
X-MC-Unique: EjzJovX3Orym3zkw03I9xA-1
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM (2603:10c6:220:229::18) by SY0P300MB0514.AUSP300.PROD.OUTLOOK.COM (2603:10c6:10:286::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.25; Mon, 1 Apr 2024 12:33:17 +0000
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974]) by ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974%5]) with mapi id 15.20.7452.019; Mon, 1 Apr 2024 12:33:17 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Alan DeKok <aland@deployingradius.com>
CC: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] RADIUS is deprecating MD5
Thread-Index: AQHafhhYd6Pp6wDrq0CYMT6Bf16QJrFRtYpBgABGhQCAAASugIAABbGAgAAFHYCAAAmYgIAA8+79gABYsACAAAN3ww==
Date: Mon, 01 Apr 2024 12:33:17 +0000
Message-ID: <ME0P300MB0713FE22A714258C5F2D95F6EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org> <ME0P300MB07133F7BB2C11FA027143127EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B57C85E4-D0A1-4E93-999B-12F712AA46E1@deployingradius.com>
In-Reply-To: <B57C85E4-D0A1-4E93-999B-12F712AA46E1@deployingradius.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: ME0P300MB0713:EE_|SY0P300MB0514:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: yROH8+w9agXcCPNz/3gFDZ+KXKppP8gISyhbTIXABRhCJY+s5oDKivqUttnzv2eZIqg5eX2zZfRifoVa6u5RTSEoll0V93oFNXOgFZIDd4A4aWww9qNL8iv8UufUERN/64Eh8rQFbeuyiJv3E4lzGRK1lr2wr7dC1MSwcbprRyLCzJ/XHnffHVnvbVLZ9gPX9VR8GO9tC65pD6wsVw01be6WUr3xigc3BW7dyaxx0DXB5h3zOpeEpSxOe4IjrICI19LEn6LVLBjm/mYqmBN/9CSR4EtGhuAyOQBDH3OaCzgFhNCz/Tb83mYMar2LDyVFkuLNPiyRxnVRsOyqtlsevsx1XTvfwJEhXbVaplmvmChF8g+kE/ETXNeiQpAt9tkBAbtlGZPAiKHRza+eLEFhKounWzM5Ulf2NohTKuhBIvi9XsH1WdLqA4a7jr56mN5af2yt4F2FzNA0tdcxaoKxqyob3WpBcIRCdulFrIdDN+v29bQDz0W/k6zye7pnovIKuQ8k70sEupDT4GXp9JVLI7bx2tAdBYHElZr9VQNf/MIaLu+5/MR/CZDN3QQZVIA1byhKfT5GTKOpFmq3OVtImLOgV4kgDVaTrSvBEuN3LEqOJpO7XVgxmeB856qeJvpMzrJ7OgLeaDesjjFrqKw0pFRbg9KmXWlWqS5ZKLhWXiQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366007)(1800799015)(376005); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XQ5fg5WEiOXK9BRSet03PtSwCw1gSMoER+/udNwRkm4qxL3/5u7P8kNJGvg3CxgFTDYrLBZJm3hNM9rhR3YQSZdt9ECFv3AaJnag+dISYUqLj5N/WXomk9B/DsdMucENNBEI/xNYxStm+XlbAPcJwff7toLTUX7+U7+z/b1F3qYCvmcLloq1iZ5yrcdEbbJOASA9rq7kWSGtwdUyj6h5OYFOwXuY5bFJb8cgRWwPiTokrrDHGeOWSbjR/1yTtffHIt25RvSQWIGLaGONZOsblk4VfpfWQiGJkzFT/3v00aJe3G6vzjrhSDmWzwU+MusxK7ULE8/L9Vx/jzuhVAhtYYqHde8Nubp448CAWpKlhNTrMG1/cHiSPCq9Ih5w70qK1Sa6KwlL3CWUCf1roHd0f5/fGhQ6GS4h7bwzKwsbOawDAbFGmVZnvtJG+dC0z4Nv1e7GofIGrkcNCskiFPlUk6Zzv4Fp/JquwFAHOSyS0rOS3z48o+0xyJPWRC0+7WH/Gb91Hqpdvw3YFxH1grUjVtacfTwJ3FrrhOCpaIlWHYRG3aHTKDkXdIj7jDq1m6v1zaXaz+UzNboDMV2UFGDNjeRrg0UllMH8rd3aWC4ldcxlN9AybKjqKmD88Xg54yCCQAaHkbnrGLyrwloAZdNN6siOrTkASS1KcOYIrbmkOTiM3SbFwtzR7BLAYhVp45ZnJeYFy60vak7sFVga4mSP1m3PJXiYHsxAMWNrMJnHbwSJ2pSHVG2VpmhmKmJsG9ohMYp+iEAwbkkR7Vdu82skWiyUNvgFFjAvlWOfeuI7TyFI+a5cV0a3rDQGjNKFo0MbijXTB045RurH9Qsf5+JA+J5QFF8rZs+JMJF9qPmG6z4wyuaVUOYbkmpuj9Bn4S/A+9iowA8dpqXflWjCue/PsylprDP/zzu1JKT6JuNumyeIiKTWMkPXAlVElEpKi4dypDA8lQvkPFUo40c23rMFthlVwdfTAGrP/kpEPb1jd7t6buyl/JlrqFW4qGr0IGYXqFMfOsqLxw4RJbyowaOTzd7h9uOz9fStixha35lD/A/OR4n8Oa3ebtcO7fxyVRxmRvNDD6AvJzw3y29BpJQN5pdHOqjVpgQplJ/PU8/tFrE8rzGxdi9KbJZecLZ+Eo4wiFgKA3Eo51zOKw4NleKWf/OQ6WQVjrMNM/2buaKevit9eKFflDlMbzqKHqZzP0/5/ze28Nvg93LsXxUjhMH5dtH85gUHofYofkkW5g6BDxxInYg47GCpgi87Hb+V9KRdBX/ayf2XZWAairU5cUEaNDM3JX5GaLcyOKybqHHPlTKrr2Sz1bJZT+4i6jLqJe8Egq8V2LAS2oepWC7J5t976uMaXOLWWlSsZ6MwkC4lNLLC0jmzVPQtpBea1t02BEybo6ILvDraNm2uwf6NfIKtqkVNBV4YU0zNIDgGqG3glr586pDc3PcKmzAL7VTaakXfGCsINuj17+bsYya/RYj9yJz16SF3SfmmOnlkXLR1yk3IRMNlpNDwJhcucdMCzksQXW83AB/IRiHANzcaSvJtP/vPWJ2jD/rtcpyEz9YlFb6Olm6KRrw7/5GJYWbann6OKqYHKaPEXyMYxS2zr6FZ7g==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 34fd08ca-7699-4d0a-839b-08dc5247e881
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2024 12:33:17.6559 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: D6a704tQhk3el7ffcjCC37aV/mzvXEn4vKL0Hms1RVB0aT8X5EzrQLdLfLF+HOjLL4kbmJSTqkAm6qnhuK0sSt4Edllxs0rZYXLVgqRlC0k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY0P300MB0514
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/8D7XdTNlYRwbnS1pRsqG9EfYtOs>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 12:33:26 -0000

Alan DeKok <aland@deployingradius.com> writes:

>The use-case you keep mentioning of "RADIUS is useless. EAP-*TLS transports
>well-known passwords" is so rare as to be non-existent.  I've been doing
>RADIUS since 1996, and I can't recall ever seeing people do that.

That's the only use I've ever seen of it, but then I'm coming from the TLS
side not the RADIUS side where TLS is the main protocol and RADIUS is the
clunky transport mechanism so it's kinda natural that I'd see it from there.

>I have to question the experience and knowledge of anyone who would build
>such a system.

They're not doing RADIUS anything, there's no time-based limits, VLANs,
summaries of their traffic (time, data transferred, etc.), RADIUS accounting
packets, no muffins, no toast, no teacakes, no buns, baps, baguettes or
bagels, no croissants, no crumpets, no pancakes, no potato cakes, there's just
a TLS-tunneled MSCHAPv2 (or whatever) challenge and an MSCHAPv2 response.

This isn't being used for Internet access or whatever, it's just to
authenticate a remote device.

Peter.

v2.23.0 | Report a Bug | By Email