Re: [radext] Secure COA
Sam Hartman <hartmans@painless-security.com> Tue, 24 March 2015 14:59 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 854FE1A87E0 for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 07:59:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NfGUnj0d_aVZ for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 07:59:46 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 566EF1A87D2 for <radext@ietf.org>; Tue, 24 Mar 2015 07:59:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 16D0420678; Tue, 24 Mar 2015 10:58:06 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id euD2x7N5HPDP; Tue, 24 Mar 2015 10:58:04 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 24 Mar 2015 10:58:04 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 5A17B8720D; Tue, 24 Mar 2015 10:59:43 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alan DeKok <aland@deployingradius.com>
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com> <alpine.WNT.2.20.1.1503221518060.3600@SMURF> <2DB68EA1-97A6-4263-9E7F-9BD24B567C7A@deployingradius.com> <alpine.WNT.2.20.1.1503221852040.3600@SMURF> <5FA970CC-2E05-4EFC-8AE6-840D334B28E4@deployingradius.com> <alpine.WNT.2.20.1.1503230923000.3600@SMURF> <1A6EF1EA-3412-4AAA-9646-3FD18EC0C4E4@deployingradius.com> <tsl4mpbb8r6.fsf@mit.edu> <6C5BFB5E-133B-4D3A-AB80-81D1C0F9AE38@deployingradius.com>
Date: Tue, 24 Mar 2015 10:59:43 -0400
In-Reply-To: <6C5BFB5E-133B-4D3A-AB80-81D1C0F9AE38@deployingradius.com> (Alan DeKok's message of "Tue, 24 Mar 2015 06:59:16 -0500")
Message-ID: <tsllhim8mqo.fsf_-_@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/8FdfQDpjZdV9MWOoWmB4TE5MESE>
Cc: radext@ietf.org, Peter Deacon <peterd@iea-software.com>
Subject: Re: [radext] Secure COA
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 14:59:48 -0000
>>>>> "Alan" == Alan DeKok <aland@deployingradius.com> writes: Alan> On Mar 23, 2015, at 6:21 PM, Sam Hartman <hartmans@painless-security.com> wrote: >> I think solving this requirement would be necessary for moving >> COA to the standards track or removing the health warning in >> 5176. Alan> I agree. Alan> Let’s say that each proxy selectively forwards CoA packets Alan> based on it’s knowledge of the user sessions. This means that Alan> every proxy has to maintain information on every user session, Alan> which is untenable. I actually can think of ways of approaching this. This scaling problem seems no worse than some scaling problems websites face and some of the solutions there seem applicable. However, this seems like the wrong approach to me, because it is more complex than needed. Alan> Or maybe the sessions contain some kind of state that the Alan> proxy can cryptographically verify. That means sharing the Alan> cryptographic keys with all proxies, which is also untenable. It's much less obvious to me that this is untenible. We definitely have key distribution mechanisms that seem up to the task. This is especially true in deployments where the original access request travels through the same operators as the COA packet travels in reverse. In that case, operators can add/transform their own state, and need only manage keys within their own domain. Alan> In the end, I don’t see this as a session state problem. Alan> It’s a routing problem. For a situation Visited -> Proxy -> Alan> Home, packets are usually forwarded based on User-Name, and Alan> realm. When the Home server wants to disconnect a user, it Alan> typically sends User-Name as part of the session Alan> identification attributes. So all that’s needed is for the Alan> proxy to look up that realm. Alan> i.e. the algorithm is this: Alan> forwarding proxy: receive packet with User-Name, look up Alan> realm, and forward packet to that realm. Alan> CoA proxy: receive packet with Operator-Name and User-Name. Alan> Look up realm from *User-Name*. If the source of the packet Alan> does not match a known destination for that realm, then drop Alan> the packet as being non-compliant. Otherwise, look up realm Alan> from *Operator-Name*, and forward the CoA packet there. This seems fairly weak to me. I'd be much more comfortable with a solution that took routing and session state into account.
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Secure COA Alan DeKok
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Proposed new charter text Peter Deacon
- [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Stefan Winter