[POSH] Another use case that suffers: RADIUS dynamic peer discovery
Stefan Winter <stefan.winter@restena.lu> Mon, 29 July 2013 15:26 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C7B621F9DA5 for <posh@ietfa.amsl.com>; Mon, 29 Jul 2013 08:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, J_CHICKENPOX_55=0.6, J_CHICKENPOX_64=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbE0O32oGZY2 for <posh@ietfa.amsl.com>; Mon, 29 Jul 2013 08:26:28 -0700 (PDT)
Received: from smtp.restena.lu (legolas.restena.lu [IPv6:2001:a18:1::34]) by ietfa.amsl.com (Postfix) with ESMTP id B15EC21F994C for <posh@ietf.org>; Mon, 29 Jul 2013 08:26:18 -0700 (PDT)
Received: from smtp.restena.lu (localhost [127.0.0.1]) by smtp.restena.lu (Postfix) with ESMTP id 44C79EA801 for <posh@ietf.org>; Mon, 29 Jul 2013 17:26:11 +0200 (CEST)
Received: from viper.local (unknown [158.64.15.193]) by smtp.restena.lu (Postfix) with ESMTPSA id 2CC33EA1F0 for <posh@ietf.org>; Mon, 29 Jul 2013 17:26:11 +0200 (CEST)
Message-ID: <51F689A6.3050805@restena.lu>
Date: Mon, 29 Jul 2013 17:26:30 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: posh@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV
Subject: [POSH] Another use case that suffers: RADIUS dynamic peer discovery
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2013 15:26:48 -0000
Hi, sitting in the POSH BoF, I would have had one other use case which suffers the same problems - but having had so many at the mike, I guess sending an email to the list is enough. This is about RADIUS and an almost-finished draft about "Dynamic Server Discovery". The short story is that a RADIUS client gets an email-style username from an end-user, uses DNS (NAPTR -> SRV/A/AAAA) to find a server and then tries to figure out: is that server authoritative for the _domain_ I got as input. The discovery process doesn't particularly care about the hostname, just like in the other use cases. And just like in those, you may operate a RADIUS proxy which deals with multiple domains, none of which are cert-wise under its control. Our problem is a little tougher to crack than those presented IMHO, because: - DNSSEC+DANE doesn't do the job entirely: RADIUS/TLS connections are always mutually authenticated, meaning there's a client cert validation happening - which DANE doesn't specify how to do. We could restrict to using DNSSEC+DANE for server authz+authn, and declare the client part out of scope though. - In the absence of DNSSEC, X.509 service names don't do the job either, because the discovery starts with NAPTR, and it may or may not traverse an SRV in the middle; and even if it does, the input to SRV lookup is untrusted (someone might have manipulated the preceding NAPTR already). Our solution (or what I currently think is the solution) is to have a new cert property that encodes the _domain name_ just for the specific AAA use case. We call our domains "NAI realms", so what I was trying to get from PKIX folks is a subjectAltName:nAIRealm property. This would contain the realm and only delegate trust for the NAI realm of a domain to the cert holder, not of the entire domain per se. I understand from the SIP presentation that this will hit the ground hard if you expect actual commercial CAs to issue certs with such a name, but that's less an issue… RADIUS is typically run for (closed-group) roaming consortia which can agree on their own CAs. And the certs are validated in a machine-to-machine manner from RADIUS clients to RADIUS servers, not by end-users. I don't have the name from PKIX yet, still being discussed. If POSH had a less intrusive way of solving this, do go ahead :-) I'll read the draft. Greetings, Stefan Winter
- [POSH] Another use case that suffers: RADIUS dyna… Stefan Winter