IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Alan DeKok <aland@deployingradius.com> Sun, 31 March 2024 15:17 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1643C14F5F4 for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 08:17:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYVmFKq6MLDe for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 08:17:00 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39C61C14F5EE for <saag@ietf.org>; Sun, 31 Mar 2024 08:16:59 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id BBF931D5 for <saag@ietf.org>; Sun, 31 Mar 2024 15:16:56 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Sun, 31 Mar 2024 11:16:55 -0400
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org>
To: saag@ietf.org
In-Reply-To: <Zgl6ejdpJNOyUja0@chardros.imrryr.org>
Message-Id: <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/zYCYcIUHwSXxU19K7tkLM8lrw7E>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 15:17:04 -0000

On Mar 31, 2024, at 11:00 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> I appreciate and agree that new protocols should not use MD5, but it is
> not clear that there's a pressing case to deprecate its long-standing
> use in RADIUS.  What attack is that guarding against?

  As Jan-Frederik pointed out, privacy is a huge one.

  In many cases, RADIUS packets are often sent across the net in the clear.  This exposes user identity, location, device information, etc.

  In many cases, Access-Request packets are unauthenticated, and lack all integrity checks.

  The only fix is to switch to TLS transport.

  To be perfectly clear:  There are "cloud" providers which send RADIUS/UDP traffic over the Internet.  In the clear.  Where anyone can see or modify the contents.

  There is absolutely no reason to keep doing this in 2024.  There is every reason to deprecate such behavior with extreme prejudice.  Anyone doing that should stop immediately.

  We've known since the late 1990s that this behavior is terrible.  Yet we're only now thinking of officially deprecating it.  Can we please just agree that sending PII in clear-text across the Internet is bad?

  Alan DeKok.

v2.23.0 | Report a Bug | By Email