Re: [radext] Meeting in Seoul - call for talking slot requests
"Brian Weis (bew)" <bew@cisco.com> Fri, 28 October 2016 21:33 UTC
Return-Path: <bew@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5379D12948B for <radext@ietfa.amsl.com>; Fri, 28 Oct 2016 14:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.952
X-Spam-Level:
X-Spam-Status: No, score=-14.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3j4PqPccDdv for <radext@ietfa.amsl.com>; Fri, 28 Oct 2016 14:33:17 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86335129468 for <radext@ietf.org>; Fri, 28 Oct 2016 14:33:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3272; q=dns/txt; s=iport; t=1477690397; x=1478899997; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=gNIO63jCEyStTAN+rOXSDtOkq0ovNvCR+OHtknUzBfo=; b=T037z2/CcJOyX4TNyDI1D3OGAgVuVWHX+zMRsdt9BHAnXB7pI/M2fPU5 8w7oXwp9fyQnD81Cm83ceJ7gjVgYNJDjOk6+oIhjGJo/6uww4YQJwWky+ AWmgsgfSFN668qzmDWfzwg8hhjUAnUKokqb8xrVfdDqk/mLyppSnWDWTo U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CCAQAjwxNY/4YNJK1ZAxoBAQEBAgEBAQEIAQEBAYMqAQEBAQEfWH0HjS+Wf5Q/ggcohXsCGoFqPxQBAgEBAQEBAQFiKIRiAQEBAwEdBhFFBQsCAQgYAgImAgICMBUQAgQOBRuIMQgOsW6MaAEBAQEBAQEBAQEBAQEBAQEBAQEBARcFgQeHM4JYhBkRATMKJoI9LIIvBYhNi22FXgGGLIl6kASND4QAAR42X4UKcoVKgSCBCQEBAQ
X-IronPort-AV: E=Sophos;i="5.31,560,1473120000"; d="scan'208";a="340800145"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 28 Oct 2016 21:33:16 +0000
Received: from XCH-RTP-004.cisco.com (xch-rtp-004.cisco.com [64.101.220.144]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id u9SLXGJL023153 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 28 Oct 2016 21:33:16 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-004.cisco.com (64.101.220.144) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 28 Oct 2016 17:33:15 -0400
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1210.000; Fri, 28 Oct 2016 17:33:15 -0400
From: "Brian Weis (bew)" <bew@cisco.com>
To: Alan DeKok <aland@deployingradius.com>
Thread-Topic: [radext] Meeting in Seoul - call for talking slot requests
Thread-Index: AQHSLeVRIopkGtY0B0uyPfJJVeag26C6CSoAgAGktQCAAv8sgA==
Date: Fri, 28 Oct 2016 21:33:15 +0000
Message-ID: <7CAB5EA2-3CBF-49DB-B7D6-B612AAFE2020@cisco.com>
References: <42a9aa91-2848-c9ae-dc45-970e6610f02a@restena.lu> <062260E0-9FEE-4E36-9521-1896A39A38B8@cisco.com> <89F2AC4B-3867-4784-A830-30259D1D2261@deployingradius.com>
In-Reply-To: <89F2AC4B-3867-4784-A830-30259D1D2261@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.41.33.103]
Content-Type: text/plain; charset="utf-8"
Content-ID: <BE93BE0611BB564BADD47F9DCF003943@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/4ffq_V3wON5eGxYXeKiY6PyHdqU>
Cc: Winter Stefan <stefan.winter@restena.lu>, "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Meeting in Seoul - call for talking slot requests
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 21:33:19 -0000
Hi Alan, Many thanks for your review. > On Oct 26, 2016, at 4:47 PM, Alan DeKok <aland@deployingradius.com> wrote: > > >> On Oct 25, 2016, at 6:41 PM, Brian Weis (bew) <bew@cisco.com> wrote: >> >> Hi Stefan, >> >> I have recently posted a new draft <https://tools.ietf.org/html/draft-weis-radext-mud-00>, and if possible I’d appreciate 10 minutes or so of the meeting to introduce it. The draft allows RADIUS to help complete a solution using the Manufacturer Usage Description (MUD) Specification (<https://tools.ietf.org/html/draft-ietf-opsawg-mud-01>). > > My $0.02, mostly nits. > > - define the new attribute as of type "string", and reference the data types draft. This lets you remove the ASCII art I wasn’t aware of this document, will look into doing this for the next version. > - perhaps have a discussion of the security implications of MAB in Section 5. I don't recall seeing a discussion of this before in a RADIUS document > > - i.e.MAB requests rely on MAC address from the end user machine... which can be trivially forged. What are the implications of send the wrong MUD info to a machine which is lying to you? That’s an interesting point. I touched on a a similar issue in the current security considerations, acknowledging that the actual DHCP or LLDP message might have been received on the NAS unprotected. But I take your point that sine MAB is mentioned that implications of a forged MAC address is probably in scope. One mitigation would be to require 802.1X and only accept MUD URIs in packets from which the MAC address(es) that have strongly authenticated. To completely mitigate the attack, add MACsec (IEEE 802.1AE) to wired ports. In any case, MUD is most valuable in helping devices emitting a MUD URI using a MAC address that it actually owns, because the NAS can proactively install policy to protect that MAC address against attacks in the future. I’ll think about what the security considerations section should say about the ramifications of an evil device specifying a false MAC address given that, as you say, perhaps no other RADIUS document has done that. > But the concept does seem rather simple. I think a short & clear specification such as this is good. Excellent, thanks. Brian -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com
- [radext] Meeting in Seoul - call for talking slot… Stefan Winter
- Re: [radext] Meeting in Seoul - call for talking … Alan DeKok
- Re: [radext] Meeting in Seoul - call for talking … Brian Weis (bew)
- Re: [radext] Meeting in Seoul - call for talking … Alan DeKok
- Re: [radext] Meeting in Seoul - call for talking … Brian Weis (bew)
- Re: [radext] Meeting in Seoul - call for talking … Stefan Winter
- Re: [radext] Meeting in Seoul - call for talking … Alan DeKok