IETF Logo Mail Archive

Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04

Alan DeKok <aland@deployingradius.com> Fri, 05 April 2013 13:23 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A391321F88BF for <radext@ietfa.amsl.com>; Fri, 5 Apr 2013 06:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hqBzyMSNWZao for <radext@ietfa.amsl.com>; Fri, 5 Apr 2013 06:23:57 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 64BFF21F87E4 for <radext@ietf.org>; Fri, 5 Apr 2013 06:23:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id B0F4022410F7; Fri, 5 Apr 2013 15:23:21 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ff5TqMzyuaO9; Fri, 5 Apr 2013 15:23:21 +0200 (CEST)
Received: from Thor-2.local (unknown [70.50.217.204]) by power.freeradius.org (Postfix) with ESMTPSA id A969D2240C73; Fri, 5 Apr 2013 15:23:20 +0200 (CEST)
Message-ID: <515ED047.3040200@deployingradius.com>
Date: Fri, 05 Apr 2013 09:23:19 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Sam Hartman <hartmans@painless-security.com>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <tslli8xnoms.fsf@mit.edu>
In-Reply-To: <tslli8xnoms.fsf@mit.edu>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: radext@ietf.org, Peter Deacon <peterd@iea-software.com>, radext-chairs@tools.ietf.org
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 13:23:57 -0000

Sam Hartman wrote:
> We're talking about a period of less than a few seconds, right, while
> requests are in flight?
> So, this issue only comes up in operational environments where a single
> NAS or proxy cannot afford  an outage of the maximum lifetime of a
> RADIUS request.

  How about this text below.  It clarifies that the transition path is
meant to be temporary.  The text around transition is there only to
ensure we get it right.



3. Transition Path

Transitioning to DTLS is a process which needs to be done carefully.
A poorly handled transition is complex for administrators, and
potentially subject to security downgrade attacks.  It is not
sufficient to just disable RADIUS/UDP and enable RADIUS/DTLS.  That
approach would result in timeouts, lost traffic, and network
instabilities.

The end result of this specification is that nearly all RADIUS/UDP
implementations should transition to using RADIUS/DTLS.  In some
cases, RADIUS/UDP may remain where IPSec is used as a transport, or
where implementation and/or business reasons preclude a change.
However, long-term use of RADIUS/UDP is NOT RECOMMENDED.

This section describes how clients and servers should transition to
DTLS.  There is a fair amount of discussion around this transition, as
it is critical to get it correct.  We expect that once implementations
have transitioned to RADIUS/DTLS, the text in this section will no
longer be relevant.

3.1 Server Transition to DTLS

As this specification permits server implementations to accept both
RADIUS/UDP and RADIUS/DTLS packets on the same port, we require a
method to disambiguate packets between the two protocols.  This method
is applicable only to RADIUS/DTLS servers.

The disambiguation method leverages the RADIUS/UDP requirement that
clients be known by source IP address.  RADIUS/DTLS servers MUST treat
packets from unknown IP addresses as being DTLS.  This requirement
does not mean that the server is required to accept these packets.  It
means that if the server chooses to accept them, they are to be
treated as being DTLS.

For packets from known IP addresses RADIUS/DTLS servers MUST maintain
a boolean "DTLS Required" flag for each client that indicates if it
requires a client to use RADIUS/DTLS.  If the flag is "true" then all
packets from that client MUST be processed as RADIUS/DTLS.

The transition to RADIUS/DTLS is performed only when the "DTLS
Required" flag is "false".  This setting means that the client is
known to support RADIUS/UDP, but may also support RADIUS/DTLS.
Packets from the client need to be examined to see if they are
RADIUS/UDP or RADIUS/DTLS.  The protocol disambiguation method
outlined below in Section 5.1.2 MUST be used to determine how received
packets are treated.

v2.39.1 | Report a Bug | By Email | System Status