IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Alan DeKok <aland@deployingradius.com> Mon, 01 April 2024 14:17 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E96CC14F712 for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 07:17:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9igA_iUzk4hY for <saag@ietfa.amsl.com>; Mon, 1 Apr 2024 07:17:47 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9C9C14F70C for <saag@ietf.org>; Mon, 1 Apr 2024 07:17:46 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id E298C2A3; Mon, 1 Apr 2024 14:17:43 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <ME0P300MB0713F57E1F1556EA9BE0CEF7EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
Date: Mon, 01 Apr 2024 10:17:42 -0400
Cc: "saag@ietf.org" <saag@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2FD85AB2-FA68-4FEB-8170-E78A7AADE1AF@deployingradius.com>
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org> <ME0P300MB07133F7BB2C11FA027143127EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B57C85E4-D0A1-4E93-999B-12F712AA46E1@deployingradius.com> <ME0P300MB0713FE22A714258C5F2D95F6EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <B51C0F05-020C-486B-8DFC-3FC94D42A776@deployingradius.com> <ME0P300MB0713DE85687893610B7E6CBFEE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <5B9DD4E1-76FB-460B-A68A-D7E085AC2E26@deployingradius.com> <ME0P300MB0713F57E1F1556EA9BE0CEF7EE3F2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/gO_HjUp14noHo6KK8qU9v5XPCKM>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 14:17:49 -0000

On Apr 1, 2024, at 9:27 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> I know how RADIUS works, I'm pointing out that it's used in ways other than
> the way you imagine.  You're responding with "lalalalala, I'm not listening,
> I'm not listening, there's only this way, nothing else exists".  This doesn't
> change the fact that it's used in other ways than you imagine.

  That's rather unnecessarily personal.

  I understand perfectly well the use-case you're describing.  My issue is *why* someone has designed that system.

  RADIUS is used as a gate-keeper for network access.  If people are using it when a system already has network access, then it's the wrong protocol to use.

  The underlying issue here is that I've done RADIUS for well over two decades.  I've never seen a system designed like you say, and I would never recommend that anyone do it.

  I understand that you respect the competence of the people who've designed this system.  That's you're choice.

  I'm asking that you not apply that use-case to how everyone else on the planet uses RADIUS.  I'm asking that you not make misleading and incorrect statements that RADIUS isn't used for much, or that it's nothing more than a transport layer for EAP-*TLS.

  It's not.  Jan-Frederik, Bernard, and I have explained in detail why that position is false.  If multiple decades of experience and detailed explanations don't convince you, and instead result in personal attacks, then I'm done.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email