IETF Logo Mail Archive

Re: [radext] New draft: RFC6614bis (RADIUS/TLS)

Alan DeKok <aland@deployingradius.com> Fri, 28 October 2022 13:19 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7384C14F746 for <radext@ietfa.amsl.com>; Fri, 28 Oct 2022 06:19:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsyRU_j6ShnS for <radext@ietfa.amsl.com>; Fri, 28 Oct 2022 06:19:43 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DAF1C14F73B for <radext@ietf.org>; Fri, 28 Oct 2022 06:19:41 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id D407E1A2; Fri, 28 Oct 2022 13:19:38 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <5ac1c43d-9638-9d68-6e8f-d0f2c1137bd3@dfn.de>
Date: Fri, 28 Oct 2022 09:19:36 -0400
Cc: Peter Deacon <peterd@iea-software.com>, radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B3C2A71B-0796-4B74-8016-99A8341C18F8@deployingradius.com>
References: <d9a015f8-60a7-8eb1-65e0-ea19633c3784@dfn.de> <ef1855a1-2417-b3b0-ba4d-729bc507f151@iea-software.com> <5ac1c43d-9638-9d68-6e8f-d0f2c1137bd3@dfn.de>
To: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/4WjE1e9H8N1VFBIV8r4iXqS8gQE>
Subject: Re: [radext] New draft: RFC6614bis (RADIUS/TLS)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2022 13:19:47 -0000

On Oct 28, 2022, at 4:47 AM, Jan-Frederik Rieckers <rieckers@dfn.de> wrote:
>> Think it might be worth considering a slight change to "radsec" static secrets.  There has been feedback on operational costs with deploying PKI that can lead to PSK/PAKE being preferred.
> 
> I don't see exactly why this would be a bad thing. A PSK/PAKE with a strong password should be enough to secure the connection in the same way as certificates do.

  I think we have to clearly distinguish RADIUS shared secrets from TLS pre-shared keys (PSK).

  RADIUS/TLS allows for TLS-PSK, and requires that the RADIUS shared secret using inside of the TLS tunnel is "radsec".

  I don't see much value in doing any checks on the RADIUS shared secret.  I do see value in using TLS-PSK, and doing checks on TLS-PSK Identities.

  Also, implementations MUST NOT use the RADIUS shared secret as the TLS-PSK.  Due to TLS version issues, a TLS-PSK MUST NOT be used across different versions of TLS.

> This of course is something, we can't control even with full mutual authentication with certificates, but it probably is harder, since you are more or less forced to exchange the certificate details with the admins of the peers, so they can configure their Radsec-Servers accordingly.
> If you allow only server authentication, people will likely accept any server certificate, which would lead to possibility to middle-person-attacks and we would fall back to the "security" of RADIUS.

  I think this is true.

  From a quick check of RFC 6614, it looks like there is no prohibition against bypassing server validation checks.  i.e. Section 2.3 says things like:

          +  Certificate validation MUST include the verification rules
             as per [RFC5280].

  Which implementors can read as "IF you do certificate validation, it MUST ..."

  Experience shows that unless utter idiocies are forbidden, they will be implemented.  And then deployed to millions of devices.

  There is text in RFC2865 which forbids the use of zero-length shared secrets, as that would remove all security from the MD5 packet signing.  The text was added because I ran into NAS equipment which did RADIUS, but which wouldn't let admins enter a shared secret: it was always zero-length!

> I feel that with the possibility to use PSK, we have a good way to secure the transport and either way we would have to manage the PSKs (or shared secrets in your proposal) on the server, so adding server authentication via TLS just adds more configuration to the server side.

  For the "deprecating RADIUS" and "SRADIUS" documents, the text mandates the use of TLS-PSK, and mandates the use of TLS 1.3 or later for TLS-PSK.

  I think there is a lot of utility in using TLS-PSK.  But I also think it's best to avoid any further discussion of shared secrets.  They're terrible, and need to go away ASAP.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email