IETF Logo Mail Archive

Re: [radext] Secure COA

Sam Hartman <hartmans@painless-security.com> Tue, 24 March 2015 14:59 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 854FE1A87E0 for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 07:59:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NfGUnj0d_aVZ for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 07:59:46 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 566EF1A87D2 for <radext@ietf.org>; Tue, 24 Mar 2015 07:59:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 16D0420678; Tue, 24 Mar 2015 10:58:06 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id euD2x7N5HPDP; Tue, 24 Mar 2015 10:58:04 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 24 Mar 2015 10:58:04 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 5A17B8720D; Tue, 24 Mar 2015 10:59:43 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alan DeKok <aland@deployingradius.com>
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com> <alpine.WNT.2.20.1.1503221518060.3600@SMURF> <2DB68EA1-97A6-4263-9E7F-9BD24B567C7A@deployingradius.com> <alpine.WNT.2.20.1.1503221852040.3600@SMURF> <5FA970CC-2E05-4EFC-8AE6-840D334B28E4@deployingradius.com> <alpine.WNT.2.20.1.1503230923000.3600@SMURF> <1A6EF1EA-3412-4AAA-9646-3FD18EC0C4E4@deployingradius.com> <tsl4mpbb8r6.fsf@mit.edu> <6C5BFB5E-133B-4D3A-AB80-81D1C0F9AE38@deployingradius.com>
Date: Tue, 24 Mar 2015 10:59:43 -0400
In-Reply-To: <6C5BFB5E-133B-4D3A-AB80-81D1C0F9AE38@deployingradius.com> (Alan DeKok's message of "Tue, 24 Mar 2015 06:59:16 -0500")
Message-ID: <tsllhim8mqo.fsf_-_@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/8FdfQDpjZdV9MWOoWmB4TE5MESE>
Cc: radext@ietf.org, Peter Deacon <peterd@iea-software.com>
Subject: Re: [radext] Secure COA
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 14:59:48 -0000

>>>>> "Alan" == Alan DeKok <aland@deployingradius.com> writes:

    Alan> On Mar 23, 2015, at 6:21 PM, Sam Hartman <hartmans@painless-security.com> wrote:
    >> I think solving this requirement would be necessary for moving
    >> COA to the standards track or removing the health warning in
    >> 5176.

    Alan>   I agree.

    Alan>   Let’s say that each proxy selectively forwards CoA packets
    Alan> based on it’s knowledge of the user sessions.  This means that
    Alan> every proxy has to maintain information on every user session,
    Alan> which is untenable.

I actually can think of ways of approaching this.
This scaling problem seems no worse than some scaling problems websites
face and some of the solutions there seem applicable.
However, this seems like the wrong approach to me, because it is more
complex than needed.

    Alan>   Or maybe the sessions contain some kind of state that the
    Alan> proxy can cryptographically verify.  That means sharing the
    Alan> cryptographic keys with all proxies, which is also untenable.

It's much less obvious to me that this is untenible.
We definitely have key distribution mechanisms that seem up to the task.
This is especially true in deployments where the original access request
travels through  the same operators as  the COA packet travels in
reverse.
In that case, operators can add/transform their own state, and need only
manage keys within  their own domain.


    Alan>   In the end, I don’t see this as a session state problem.
    Alan> It’s a routing problem.  For a situation Visited -> Proxy ->
    Alan> Home, packets are usually forwarded based on User-Name, and
    Alan> realm.  When the Home server wants to disconnect a user, it
    Alan> typically sends User-Name as part of the session
    Alan> identification attributes.  So all that’s needed is for the
    Alan> proxy to look up that realm.

    Alan>   i.e. the algorithm is this:

    Alan> forwarding proxy: receive packet with User-Name, look up
    Alan> realm, and forward packet to that realm.

    Alan> CoA proxy: receive packet with Operator-Name and User-Name.
    Alan> Look up realm from *User-Name*.  If the source of the packet
    Alan> does not match a known destination for that realm, then drop
    Alan> the packet as being non-compliant.  Otherwise, look up realm
    Alan> from *Operator-Name*, and forward the CoA packet there.

This seems fairly weak to me.

I'd be much more comfortable with a solution that took routing and
session state into account.

v2.23.0 | Report a Bug | By Email