Re: [proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)

Bernard Aboba <> Sun, 16 November 2008 14:42 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 9A22D3A681D; Sun, 16 Nov 2008 06:42:50 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 44AD63A681D for <>; Sun, 16 Nov 2008 06:42:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.27
X-Spam-Status: No, score=-1.27 tagged_above=-999 required=5 tests=[AWL=1.328, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xUN8tnRAGk0j for <>; Sun, 16 Nov 2008 06:42:48 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 319E13A67AD for <>; Sun, 16 Nov 2008 06:42:48 -0800 (PST)
Received: from BLU137-W54 ([]) by with Microsoft SMTPSVC(6.0.3790.3959); Sun, 16 Nov 2008 06:42:47 -0800
Message-ID: <BLU137-W5423E91D195604613D259C93100@phx.gbl>
X-Originating-IP: []
From: Bernard Aboba <>
To: <>
Date: Sun, 16 Nov 2008 06:42:47 -0800
Importance: Normal
In-Reply-To: <>
References: <> <> <BLU137-W54E3AB48E6D604B591851E931F0@phx.gbl> <> <> <BLU137-W184088AF25C88B75E1D78593110@phx.gbl> <>
MIME-Version: 1.0
X-OriginalArrivalTime: 16 Nov 2008 14:42:47.0863 (UTC) FILETIME=[97F53C70:01C947F9]
Subject: Re: [proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============0959486993=="

> Fair points, but aren't you than essentially saying "forget about the 
> threats and write *only* a deployment draft"?

The document doesn't cite some existing threat model assessments,
including RFC 5247 which is standards track and was chartered for
this purpose.  So I'd say that a new threat model document (if it
is needed) should focus on what is missing or what has 
changed with respect to those prior assessments.

One thing that has changed is RADSEC.  RADSEC challenges may of the 
assumptions that have been made relating to RADIUS, such as:

         RADIUS clients and servers cannot support certificates
         RADIUS cannot support confidentiality
         RADIUS requires a "trapezoid" model similar to SIP
         RADIUS clients cannot handle DNS lookups
         Proxy-avoidance technologies such as Diameter "redirect" cannot be deployed
         Large scale roaming between many domains is very difficult to set up
Once these assumptions become invalid, many of the security threats/issues also
disappear, and new ones may appear in their place.  In particular, given that
EDUROAM is virtually the only large scale deployed instance of inter-domain key 
transport, it probably makes sense to focus on it, rather than analyzing the 
security risks of other (nonexistent) deployments such as WiMAX. 

For example, if we start with the analysis of the operational benefits

of proxies described in RFC 2607, we find that several of the benefits
don't exist with RADSEC:
1.   Scalability improvement
2,   Authentication forwarding
3.   Capabilities adjustment
4.   Policy implementation
5.   Accounting reliability improvement
6.   Atomic operation

Of these benefits, at least #1 and #2 is no longer 
required with RADSEC using certificates.  Do benefits
#3, 4, 5 or 6 occur in a network such as EDUROAM?

Proxies mailing list