IETF Logo Mail Archive

Re: [radext] Eric Rescorla's No Objection on draft-ietf-radext-coa-proxy-05: (with COMMENT)

Adam Roach <adam@nostrum.com> Wed, 15 August 2018 19:47 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F46130FD4; Wed, 15 Aug 2018 12:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.878
X-Spam-Level:
X-Spam-Status: No, score=-1.878 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qUi7EehefvJD; Wed, 15 Aug 2018 12:47:25 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 923D6130F6D; Wed, 15 Aug 2018 12:47:25 -0700 (PDT)
Received: from Orochi.local (c-73-206-50-7.hsd1.tx.comcast.net [73.206.50.7]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w7FJlNJG030111 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 15 Aug 2018 14:47:24 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host c-73-206-50-7.hsd1.tx.comcast.net [73.206.50.7] claimed to be Orochi.local
To: Eric Rescorla <ekr@rtfm.com>, Alan DeKok <aland@freeradius.org>
Cc: radext-chairs@ietf.org, radext@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-radext-coa-proxy@ietf.org, Winter Stefan <stefan.winter@restena.lu>
References: <153434610726.14442.18102779548524907034.idtracker@ietfa.amsl.com> <885EEC1B-966C-4B97-8556-43527C051956@freeradius.org> <CABcZeBMc=YbP21C=vy+P-DRvcZfOxgMqeS_snS8JKFPkN90fuA@mail.gmail.com> <E8303036-09B5-4C4E-9BF6-9696261C0912@freeradius.org> <CABcZeBPUEH2SjBDJ+0uthqnzpWXoE+vuik17FZZ=FdJfo5MLeA@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <ed9fcccc-ce7b-c90b-b1cd-a4826824aa17@nostrum.com>
Date: Wed, 15 Aug 2018 14:47:23 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBPUEH2SjBDJ+0uthqnzpWXoE+vuik17FZZ=FdJfo5MLeA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------9A2B477B68AB4505018C69FE"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/8GyoqOp3QXfMzD-iblCe7e4HC5c>
Subject: Re: [radext] Eric Rescorla's No Objection on draft-ietf-radext-coa-proxy-05: (with COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2018 19:47:28 -0000

Alan --

Thanks for the new text. This is a nice set of improvements overall, but 
I still
have concerns relating to the contents of the Operator-NAS-Identifier 
attribute.

---------------------------------------------------------------------------

§3.4:

 >  Length
 >
 >     4 to 23.
 >
 >     Implementations supporting this attribute MUST be able to handle
 >     between one (1) and thirty-two (32) octets of data.

It seems to me that "4 to 23" needs updating here.

I'll note that 32 octets is still too short for modern block-based ciphers
(the "more than" in my "more than 32 bytes" suggestion probably should have
said "much more than."). For example, if someone wanted to use GCM here (as
the text still says "encrypt"), you'd need 32 bytes for the ciphertext, 4 to
32 bytes for the tag, and something on the order of 12 bytes for the IV. 
So it
would be more like 76 bytes rather than 32.

Alternately, and this is my suggestion, remove "encrypt" entirely from this
section, replacing it with "obfuscate." Concretely:

       The second method is to obfuscate the NAS IP address using 
information
       known locally by the Visited network; for example, by XORing it 
with a
       bitmask.  The output of that obfuscation operation is data that 
can be
       used as the value of Operator-NAS-Identifier.  On reception of a CoA
       packet, the locally-known information can be used to un-obfuscate the
       value of Operator-NAS-Identifier, in order to determine the 
actual NAS
       IP address.

Given that we've established that actual encryption isn't necessary 
here, this
seems easier than expanding the field to be large enough to actually encrypt
stuff.

---------------------------------------------------------------------------

§2.1:

 >  In order to determing the "next hop" for a packet, the proxying

Nit: "...determine..."


Thanks!

/a

On 8/15/18 11:37, Eric Rescorla wrote:
> Fantastic. Thanks!
>
> -Ekr
>
>
> On Wed, Aug 15, 2018 at 9:14 AM, Alan DeKok <aland@freeradius.org 
> <mailto:aland@freeradius.org>> wrote:
>
>     On Aug 15, 2018, at 12:12 PM, Eric Rescorla <ekr@rtfm.com
>     <mailto:ekr@rtfm.com>> wrote:
>     >
>     >   As such, there is no need for integrity checks, replay
>     detection, privacy, etc.
>     >
>     > OK, well, the text needs to say this, because the existing text
>     implies otherwise.
>
>       I will issue a new version shortly with the offending text
>     removed, and the above text added.
>
>       Alan DeKok.
>
>

v2.23.0 | Report a Bug | By Email