[radext] Consequences of removing Message-Authenticator from RADIUS/1.1 messages
Heikki Vatiainen <hvn@radiatorsoftware.com> Thu, 20 July 2023 15:22 UTC
Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFB44C151089 for <radext@ietfa.amsl.com>; Thu, 20 Jul 2023 08:22:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xMUZnnUirSf0 for <radext@ietfa.amsl.com>; Thu, 20 Jul 2023 08:22:07 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C565CC14F6EC for <radext@ietf.org>; Thu, 20 Jul 2023 08:22:07 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-52166c7f77cso1316164a12.2 for <radext@ietf.org>; Thu, 20 Jul 2023 08:22:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20221208.gappssmtp.com; s=20221208; t=1689866526; x=1690471326; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=mf8qDaC9p+xRD/WzixztuWQlOAPhj5UlA8r+xnCibQ4=; b=R8+VA2FAX1uKtYO11ntXXkuVJPFYNcMUekLbbIWeEPQafK5qAUcgrx8pXt5Lgy5Dva np71/TbJt31DExlezg0dpAQgQaPLmIGAHJDGsUrsCSIHFVoVVcJh7sevZ0OMnVgXK15v t8X1r/NBd7wV6xJjIDXd9cKX+n46mzB8cXTCnIEOm9Y5UIllEpsdL0jpq4dGjMM/eyEj MKzIOldEutjwPgF0uI5CQFGJFda7FYksvc7/xLvWXPhB8c8zCrR74fv51reofuujukfd EmgAEhtpSlZBKqxVOLgy87ueVu6NJIi7jK7q7oPV6dVKagPmc2JigCTEFKpGh6/US22K r2Bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689866526; x=1690471326; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=mf8qDaC9p+xRD/WzixztuWQlOAPhj5UlA8r+xnCibQ4=; b=PZnzZhs0EsM5297INqtawVzDsjKWuAy7a8usqqdCOOENrZHl9V5Z5lOUk9cFpvQrNB CnN2m3j4q7KHiSW07fkN6IgjviKeFzPtv+LF39I1VlQDRqYVIrDuHcIVgDpUe/hjBv7s djnhT0FY8aj2+jZZ4PK3alzhAEDtZ9faq+aozCovruUtRkBKf3xv9zTcHnWRH6qveidB EUPJB2/slj6vzImX/N6t8eIVGhwsp+1WNFnXUb1lwpOJrOb5gcYzso/ZE32dCOMYLFOq UyQxQgemaB4Uz73Ax+jPf3koznAybkRAOutSfESDrt8KLtM0+GiC/ipEoXMd3GQTBYWk dY/w==
X-Gm-Message-State: ABy/qLafkqgR+g5dON7fdzPGW154zV3jO4ptUtF2nnlWzCo9SoIZ+snM e5dfIAKB4O7ZQJ7BP1YQkS2xlHFdn9uC3NXM6lRg5yTyXuFca7C6Q1M=
X-Google-Smtp-Source: APBJJlHVAAuffr1XT8qxTWKjcPQga2afjIq14pZmJpVttN1AH2liCZhTPVUEHuuhcSfQ+BOrzOI9HNpDx2WSpTI82EA=
X-Received: by 2002:a50:ee82:0:b0:521:d93e:1246 with SMTP id f2-20020a50ee82000000b00521d93e1246mr2030952edr.32.1689866526077; Thu, 20 Jul 2023 08:22:06 -0700 (PDT)
MIME-Version: 1.0
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Thu, 20 Jul 2023 18:21:49 +0300
Message-ID: <CAA7Lko9C8Sey77OdLPB++Njd8jDurLSpLA1AN-0LN3q7yjjsDQ@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000159ef0600ecb687"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Aetwbnqy4ZTBRcFDAjdlN5VdHVQ>
Subject: [radext] Consequences of removing Message-Authenticator from RADIUS/1.1 messages
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2023 15:22:11 -0000
Here's another RADIUS/1.1 implementation related topic that might be useful to discuss. Section 5.2. states the following about Message-Authenticator: https://www.ietf.org/archive/id/draft-ietf-radext-radiusv11-01.html#name-message-authenticator The Message-Authenticator attribute ([RFC3579] Section 3.2) MUST NOT be sent over a RADIUS/1.1 connection. That attribute is no longer used or needed. And a bit further: That is, a proxy which received a Message-Authenticator attribute from a client would never forward that attribute as-is to another server. Instead, the proxy would either suppress, or re-create, the Message-Authenticator attribute in the outgoing request. Here's a simple RADIUS proxy system. C ---- P1 ---- P2 ---- S C is a RADIUS client, P1 and P2 are Radius proxies and S is Radius server that authenticates requests originated by C. For this example the RADIUS Access-Request messages do not carry EAP and C adds Message-Authenticator to the requests at its discretion. What Radiator currently does by default is that it when it proxies a request, it re-creates Message-Authenticator if it were received from a previous hop. With RADIUS over UDP and RadSec S will receive requests with Message-Authenticator depending on whether C added them to its requests or not. If the link between P1 and P2 is upgraded to RADIUS/1.1, P2 no longer sees Message-Authenticator attribute in messages received from P1 and therefore will not add them to the requests sent to S. For example: https://www.ietf.org/archive/id/draft-grayson-radext-rabble-01.html would likely benefit from Message-Authenticator when it's Access-Requests are transferred over RADIUS/UDP links. The current version of the draft does not require Message-Authenticator, but lets pretend it does for the sake of an example. When a RABBLE request is proxied over a RADIUS/1.1 link, such as P1 -> P2 above, the Message-Authenticator is dropped. It's not likely that P2 would know about RABBLE and what it requires and would need a hint (Message-Authenticator in requests received from P1) to re-create it when proxying to S. There are likely a number of other cases too where a similar problem could arise. It can be worked around by configuring P2 to always add Message-Authenticator to the forwarded requests. This would then apply to all requests, which may not be desired either. Should we keep Message-Authenticator in RADIUS/1.1 messages? Possibly fill it with a random or placeholder hint that that makes it clear that it does not contain a MD5-derived value. Or maybe use a header flag to indicate that Message-Authenticator was stripped? -- Heikki Vatiainen hvn@radiatorsoftware.com
- [radext] Consequences of removing Message-Authent… Heikki Vatiainen
- Re: [radext] Consequences of removing Message-Aut… Alan DeKok
- Re: [radext] Consequences of removing Message-Aut… Alan DeKok
- Re: [radext] Consequences of removing Message-Aut… Heikki Vatiainen
- Re: [radext] Consequences of removing Message-Aut… Alan DeKok