IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Alan DeKok <aland@deployingradius.com> Sun, 31 March 2024 20:52 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB29BC14F68D for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 13:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLL9x1hzw4WH for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 13:52:08 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25C79C14F61F for <saag@ietf.org>; Sun, 31 Mar 2024 13:52:07 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id A5971303 for <saag@ietf.org>; Sun, 31 Mar 2024 20:52:04 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Sun, 31 Mar 2024 16:52:03 -0400
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org>
To: saag@ietf.org
In-Reply-To: <ZgmPg0qgA9stSeUo@chardros.imrryr.org>
Message-Id: <75CEBA7A-95F4-4208-A0F7-B541FF5D62B1@deployingradius.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/fAP1a53iofHV9oNR4WPDxpVoDmY>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 20:52:09 -0000

On Mar 31, 2024, at 12:29 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> I'm just trying to better understand the core issue, which seems to be
> UDP more than MD5, best I can tell from the discussion so far.

  It has nothing to do with UDP.

  As Jan-Frederik wrote, there are two issues:

1) privacy - almost all information is sent in clear-text, including PII

2) security - many packets lack all authentication and integrity checks.

  Neither issue is acceptable in 2025.

>  Others
> can speak to whether or not the deprecation is or isn't overly
> disruptive relative to the benefits.

  Again, "deprecation" is an official statement that people shouldn't use it.  Deprecating RADIUS/UDP won't suddenly invalidate ~100M devices.

  As someone who's done RADIUS since 1996, the cost is acceptable.  People using it inside of "trusted" networks are somwhat secure.  People using it outside of trusted networks have known for *decades* that it's insecure.

  I have little sympathy for shipping insecure products for decades, because "meh, whatever".  The IETF has the power to change this, and should.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email