Re: [saag] RADIUS is deprecating MD5
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 01 April 2024 12:33 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6857FC14F6E1 for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 05:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-2RcXK-5Vvd for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 05:33:24 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 483E3C14F6BD for <saag@ietf.org>; Mon, 1 Apr 2024 05:33:23 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2233.outbound.protection.outlook.com [104.47.71.233]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-98-EjzJovX3Orym3zkw03I9xA-1; Mon, 01 Apr 2024 23:33:19 +1100
X-MC-Unique: EjzJovX3Orym3zkw03I9xA-1
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM (2603:10c6:220:229::18) by SY0P300MB0514.AUSP300.PROD.OUTLOOK.COM (2603:10c6:10:286::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.25; Mon, 1 Apr 2024 12:33:17 +0000
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974]) by ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974%5]) with mapi id 15.20.7452.019; Mon, 1 Apr 2024 12:33:17 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Alan DeKok <aland@deployingradius.com>
CC: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] RADIUS is deprecating MD5
Thread-Index: AQHafhhYd6Pp6wDrq0CYMT6Bf16QJrFRtYpBgABGhQCAAASugIAABbGAgAAFHYCAAAmYgIAA8+79gABYsACAAAN3ww==
Date: Mon, 01 Apr 2024 12:33:17 +0000
Message-ID: <ME0P300MB0713FE22A714258C5F2D95F6EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org> <ME0P300MB07133F7BB2C11FA027143127EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B57C85E4-D0A1-4E93-999B-12F712AA46E1@deployingradius.com>
In-Reply-To: <B57C85E4-D0A1-4E93-999B-12F712AA46E1@deployingradius.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: ME0P300MB0713:EE_|SY0P300MB0514:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: yROH8+w9agXcCPNz/3gFDZ+KXKppP8gISyhbTIXABRhCJY+s5oDKivqUttnzv2eZIqg5eX2zZfRifoVa6u5RTSEoll0V93oFNXOgFZIDd4A4aWww9qNL8iv8UufUERN/64Eh8rQFbeuyiJv3E4lzGRK1lr2wr7dC1MSwcbprRyLCzJ/XHnffHVnvbVLZ9gPX9VR8GO9tC65pD6wsVw01be6WUr3xigc3BW7dyaxx0DXB5h3zOpeEpSxOe4IjrICI19LEn6LVLBjm/mYqmBN/9CSR4EtGhuAyOQBDH3OaCzgFhNCz/Tb83mYMar2LDyVFkuLNPiyRxnVRsOyqtlsevsx1XTvfwJEhXbVaplmvmChF8g+kE/ETXNeiQpAt9tkBAbtlGZPAiKHRza+eLEFhKounWzM5Ulf2NohTKuhBIvi9XsH1WdLqA4a7jr56mN5af2yt4F2FzNA0tdcxaoKxqyob3WpBcIRCdulFrIdDN+v29bQDz0W/k6zye7pnovIKuQ8k70sEupDT4GXp9JVLI7bx2tAdBYHElZr9VQNf/MIaLu+5/MR/CZDN3QQZVIA1byhKfT5GTKOpFmq3OVtImLOgV4kgDVaTrSvBEuN3LEqOJpO7XVgxmeB856qeJvpMzrJ7OgLeaDesjjFrqKw0pFRbg9KmXWlWqS5ZKLhWXiQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366007)(1800799015)(376005); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XQ5fg5WEiOXK9BRSet03PtSwCw1gSMoER+/udNwRkm4qxL3/5u7P8kNJGvg3CxgFTDYrLBZJm3hNM9rhR3YQSZdt9ECFv3AaJnag+dISYUqLj5N/WXomk9B/DsdMucENNBEI/xNYxStm+XlbAPcJwff7toLTUX7+U7+z/b1F3qYCvmcLloq1iZ5yrcdEbbJOASA9rq7kWSGtwdUyj6h5OYFOwXuY5bFJb8cgRWwPiTokrrDHGeOWSbjR/1yTtffHIt25RvSQWIGLaGONZOsblk4VfpfWQiGJkzFT/3v00aJe3G6vzjrhSDmWzwU+MusxK7ULE8/L9Vx/jzuhVAhtYYqHde8Nubp448CAWpKlhNTrMG1/cHiSPCq9Ih5w70qK1Sa6KwlL3CWUCf1roHd0f5/fGhQ6GS4h7bwzKwsbOawDAbFGmVZnvtJG+dC0z4Nv1e7GofIGrkcNCskiFPlUk6Zzv4Fp/JquwFAHOSyS0rOS3z48o+0xyJPWRC0+7WH/Gb91Hqpdvw3YFxH1grUjVtacfTwJ3FrrhOCpaIlWHYRG3aHTKDkXdIj7jDq1m6v1zaXaz+UzNboDMV2UFGDNjeRrg0UllMH8rd3aWC4ldcxlN9AybKjqKmD88Xg54yCCQAaHkbnrGLyrwloAZdNN6siOrTkASS1KcOYIrbmkOTiM3SbFwtzR7BLAYhVp45ZnJeYFy60vak7sFVga4mSP1m3PJXiYHsxAMWNrMJnHbwSJ2pSHVG2VpmhmKmJsG9ohMYp+iEAwbkkR7Vdu82skWiyUNvgFFjAvlWOfeuI7TyFI+a5cV0a3rDQGjNKFo0MbijXTB045RurH9Qsf5+JA+J5QFF8rZs+JMJF9qPmG6z4wyuaVUOYbkmpuj9Bn4S/A+9iowA8dpqXflWjCue/PsylprDP/zzu1JKT6JuNumyeIiKTWMkPXAlVElEpKi4dypDA8lQvkPFUo40c23rMFthlVwdfTAGrP/kpEPb1jd7t6buyl/JlrqFW4qGr0IGYXqFMfOsqLxw4RJbyowaOTzd7h9uOz9fStixha35lD/A/OR4n8Oa3ebtcO7fxyVRxmRvNDD6AvJzw3y29BpJQN5pdHOqjVpgQplJ/PU8/tFrE8rzGxdi9KbJZecLZ+Eo4wiFgKA3Eo51zOKw4NleKWf/OQ6WQVjrMNM/2buaKevit9eKFflDlMbzqKHqZzP0/5/ze28Nvg93LsXxUjhMH5dtH85gUHofYofkkW5g6BDxxInYg47GCpgi87Hb+V9KRdBX/ayf2XZWAairU5cUEaNDM3JX5GaLcyOKybqHHPlTKrr2Sz1bJZT+4i6jLqJe8Egq8V2LAS2oepWC7J5t976uMaXOLWWlSsZ6MwkC4lNLLC0jmzVPQtpBea1t02BEybo6ILvDraNm2uwf6NfIKtqkVNBV4YU0zNIDgGqG3glr586pDc3PcKmzAL7VTaakXfGCsINuj17+bsYya/RYj9yJz16SF3SfmmOnlkXLR1yk3IRMNlpNDwJhcucdMCzksQXW83AB/IRiHANzcaSvJtP/vPWJ2jD/rtcpyEz9YlFb6Olm6KRrw7/5GJYWbann6OKqYHKaPEXyMYxS2zr6FZ7g==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 34fd08ca-7699-4d0a-839b-08dc5247e881
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2024 12:33:17.6559 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: D6a704tQhk3el7ffcjCC37aV/mzvXEn4vKL0Hms1RVB0aT8X5EzrQLdLfLF+HOjLL4kbmJSTqkAm6qnhuK0sSt4Edllxs0rZYXLVgqRlC0k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY0P300MB0514
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/8D7XdTNlYRwbnS1pRsqG9EfYtOs>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 12:33:26 -0000
Alan DeKok <aland@deployingradius.com> writes: >The use-case you keep mentioning of "RADIUS is useless. EAP-*TLS transports >well-known passwords" is so rare as to be non-existent. I've been doing >RADIUS since 1996, and I can't recall ever seeing people do that. That's the only use I've ever seen of it, but then I'm coming from the TLS side not the RADIUS side where TLS is the main protocol and RADIUS is the clunky transport mechanism so it's kinda natural that I'd see it from there. >I have to question the experience and knowledge of anyone who would build >such a system. They're not doing RADIUS anything, there's no time-based limits, VLANs, summaries of their traffic (time, data transferred, etc.), RADIUS accounting packets, no muffins, no toast, no teacakes, no buns, baps, baguettes or bagels, no croissants, no crumpets, no pancakes, no potato cakes, there's just a TLS-tunneled MSCHAPv2 (or whatever) challenge and an MSCHAPv2 response. This isn't being used for Internet access or whatever, it's just to authenticate a remote device. Peter.
- [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Eliot Lear
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Paul Hoffman
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Paul Wouters
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok