[radext] Re: Proposed Security Considerations Text
Margaret Cullen <mrcullen42@gmail.com> Wed, 31 July 2024 02:08 UTC
Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D85E5C14F685 for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 19:08:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLMJt6E9AeTV for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 19:08:35 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C9EDC14F5F7 for <radext@ietf.org>; Tue, 30 Jul 2024 19:08:35 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id af79cd13be357-7a1d6f47112so329945585a.0 for <radext@ietf.org>; Tue, 30 Jul 2024 19:08:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722391714; x=1722996514; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=+GLwxJnhlwt84JIbt0FlpBljDJyZeH3jsx2lHyyFGEI=; b=BSyWKoXH1Xwp0zpBvoWkLzphIatUrtw7uNOud0s0OiMNM1CJULXJZBOJhqLAvbfhuL PtekPg6BYscBuF9fEwfR90/LoetCkOnpA+zDcOgxmoLTBIDZXdbDpe7tTS1T66cZHDPl 8j4NfD9Qb0geInOjIUBgHgoTmguTBG6LfxvcWRjccDeYCnocG/NIWtiX7HbZJLTDgkCS FlLR0eenYHkiprjJCCU0N7kROXdRY7Ds6FqFep/lluUAxkKc8HVxon0oyrkdVNLQQOp4 6ma+x1f70U5+VOF0A69a6v/MhjwW6m9OttiOsNzM9ywWNlgh4LK57GLlzN4X7tsN/tEy s3pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722391714; x=1722996514; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+GLwxJnhlwt84JIbt0FlpBljDJyZeH3jsx2lHyyFGEI=; b=FaU90SujFbPB1v/HsTyBF3JvTD1e3VNRI9SSttQkmEzoFbeHSQM8kZ19CuU0fddoDw 9nyNNddyhVdnkLCtc3fTecOP9SSOwcqilp/OPsoVp3BzugseWAUN/oGh1+BKUc9HRs5O 1VNR1KIMsWaVtKooCe9zVSUlBdNRoFWmnrwMhjF56YrxxHyzNaJEBo3jgRlwOZoZiSnP Q68Zl2x6NmWilI6erPtETzfcxHAh3hJ1QzRtuxYMql/BjxMXk/PZ6hfMsV/sPJbYdlz4 RhsLP1KOoUjZfPgiurVvWVN6/25zcTrr7GfZzIXvOYqPhvpVLofunyfy8BcXJx5U4U7l Mh7w==
X-Gm-Message-State: AOJu0YzYnPmsvnVfG7RG5V9FhFHwx1SjQ6+Q8V0Vj8S8itYU1UTNRoAX EflLl76Jlhox4Sx8qHxgDbob5sNTPUjeN2D67gKy7Fn0L2/ER+zRP0Rk8Q==
X-Google-Smtp-Source: AGHT+IEcZCFTuAK2Jcpk9bZfjJvPgOH+YSoTmcPA7vGtnSOX/vejJ4kug1pwDWnjOBOVJL4fQ7crrg==
X-Received: by 2002:a05:620a:4110:b0:7a1:cd2c:f37d with SMTP id af79cd13be357-7a1e531900bmr1639990685a.66.1722391713771; Tue, 30 Jul 2024 19:08:33 -0700 (PDT)
Received: from smtpclient.apple ([2607:fb91:2644:28e:1fe:f6b6:4d01:181c]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a1d73b383asm697478385a.34.2024.07.30.19.08.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 30 Jul 2024 19:08:32 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Margaret Cullen <mrcullen42@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 30 Jul 2024 22:08:21 -0400
Message-Id: <C7F8E6B6-1242-40F8-B8A3-EB51B7A3D3F8@gmail.com>
References: <AA5854AF-3555-46BE-A25D-29193DFCA6A8@deployingradius.com>
In-Reply-To: <AA5854AF-3555-46BE-A25D-29193DFCA6A8@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: X3S2ZPE7DOAGIQCHPINQKHTFULJBBG3R
X-Message-ID-Hash: X3S2ZPE7DOAGIQCHPINQKHTFULJBBG3R
X-MailFrom: mrcullen42@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Proposed Security Considerations Text
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/CHKW31yD7g8EAoW2gBYH3o8_e60>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
I agree that your text is much better than mine. Q also pointed me at an entire document on identities in TLS, which would make a good reference on how to identify peers, which I have struggled with how we would do, since IP Address didn’t seem right for TLS. Margaret > On Jul 30, 2024, at 9:26 PM, Alan DeKok <aland@deployingradius.com> wrote: > > On Jul 26, 2024, at 3:56 PM, Margaret Cullen <mrcullen42@gmail.com> wrote: >> X.1 Security implications of well-known “secret” value >> >> In addition to defining how a single RADIUS message transmitted over (D)TLS, this document specifies that the RADIUS “secret” value will be hard-coded to one of two well-known values (“radsec” of “radsec/dtls”). The “secret” value is used for several things in RADIUS/UDP: >> >> - authentication of a RADIUS peer, >> - authorization of a RADIUS peer to assume a particular role (client, server, CoA sender, etc.) >> - integrity protection of the message contents, and >> - hiding sensitive data in a RADIUS messages > > I don't agree with item 2. The authorization of a system has little to do with the secret. > > i.e. systems usually have a set of data associated with a client to server relationship: > > IP address (client or server) > shared secret > purpose of this connection (Access-Request, Accounting-Request, etc). > > When a packet is received by a server, the source IP is used to look up the associated tuple. Then packets which are not authorized are dropped, even if they can be authenticated. So the secret isn't necessarily involved here. > > The secret is used to: > > * authenticate packets received from a peer > * verify per-packet integrity checks > * obfuscate sensitive data > > >> X.1.1 Authentication and Authorization of a RADIUS Peer >> >> When a RADIUS/UDP message is received, the “secret” value and the remote IP address are used to authenticate the RADIUS peer. Once the peer has been authenticated, the RADIUS server will look up the configured policy for that peer, and determine whether the peer is authorized to send the type of message that was just received. Assuming authentication and authorization are successful, the RADIUS server will process the message. Otherwise, it will be discarded. Each RADIUS message is separately authenticated and authorized as it is received. > > But the "peer" is never authenticated. Instead, each individual packet is authenticated. Perhaps: > > > When a RADIUS/UDP message is received, the remote IP address is used to verify that the packet is coming from a known peer. The IP address is also used to look up the shared secret associated with this peer. Other information may be associated with the peer, such as a set of packet codes which the receiving system is prepared to accept. For example, a server may accept only Access-Request packets on port 1812, but not accept Accounting-Request packets on that port. Similarly, a client will access Access-Accept from the server in response to an Access-Request, but will not accept an Accounting-Request response for that Access-Request. > > If the packet is from a known peer and passes any authorization checks, the shared secret is used to authenticate the packet. Packets which fail authentication are silently discarded. Packets which pass authentication are processed according to local site policies. > > The process for RADIUS/TCP is similar, except that the peer IP address is only checked on the initial TCP connection. After that, the shared secret and any authorization rules are associated with that connection, and are checked as described above. > > For RADIUS/(D)TLS, the connection is authenticated as part of TLS session establishment. Connections which fail authentication are closed, and no RADIUS traffic passes. Peers can be authenticated via certificates, via a PSK, or by any other method supported by TLS. RADIUS/(D)TLS imposes no restrictions on TLS authentication methods. > > Once a (D)TLS session is established, the peer identity (not peer IP) is used to find any associated authorization policies. RADIUS traffic received over a (D)TLS connection then follows the above process for which kinds of packets will be accepted, and how those packets will be processed. > > The result of this design is that the processing of individual packets (e.g. Access-Accept) is essentially independent of the transport protocol. The transport protocol may permit only certain peers to connect, or it may permit only certain kinds of packets to pass any authorization rules. However, once a peer has determined that it will accept a packet, further packet processing is independent of any transport protocol. For example, User-Name and User-Password validations can be performed without using knowledge of the underlying transport in which those attributes were received. > >> [Note: We should probably also have something in the normative part of the RADIUS/(D)TLS document that explains what a RADIUS implementation should do, when RADIUS is run over (D)TLS, anywhere that RADIUS/UDP and/or other RADIUS-adjacent specifications (such as the CoA documents) indicate that implementations should “check the secret” for any reason, as that is not a useful thing to do in RADIUS/(D)TLS.] > > While 6614 and 7360 use a fixed shared secret, the pre-existing rules still apply. i.e. discarding packets which fail validation. The only difference is that it's likely best to close the TLS session, too, if the shared secret is wrong. > >> X.1.2 Integrity protection of messages >> >> X.1.3 Hiding sensitive data in RADIUS message > > TLS does those, we don't need to do much more than mention it. > >> X.2 Security implications of connection-based vs. per-packet authentication and authorization > > I don't think there's much to say here? Q's message also covers this. > > There's only one difference I can see between "authorized client" checking either per-message, or once at the start of a connection. That difference is what to do when the "authorized client" configuration changes. > > For per-message checks, the new configuration is applied to the next received message. For per-connection checks, there is now a choice for existing connections: > > a) keep the existing connection up, and ignore the configuration change > > b) double-check the existing connection against the new "authorized client" rules. If pass, do nothing, otherwise close the connection > > c) always close the connection, and make clients reconnect using the new authorization rules. > > There are good arguments for all 3 of these behaviours. > >> >> X.3 Explanation of why TLS channel binding is not needed in RADIUS/(D)TLS > > I agree with Q here: channel bindings offer no additional security. > > If we did add TLS channel bindings, we would have to somehow glue that into the RADIUS packets inside of the tunnel. i.e. mandating connections start with Status-Server with channel binding. > > This would create additional complexity for no additional benefit. > > Alan DeKok.
- [radext] Proposed Security Considerations Text Margaret Cullen
- [radext] Re: Proposed Security Considerations Text Q Misell
- [radext] Re: Proposed Security Considerations Text Alan DeKok
- [radext] Re: Proposed Security Considerations Text Margaret Cullen
- [radext] Re: Proposed Security Considerations Text Fabian Mauchle