IETF Logo Mail Archive

Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04

Peter Deacon <peterd@iea-software.com> Sat, 06 April 2013 16:35 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85A8221F8E99 for <radext@ietfa.amsl.com>; Sat, 6 Apr 2013 09:35:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.53
X-Spam-Level:
X-Spam-Status: No, score=-2.53 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-DTeDxITSOh for <radext@ietfa.amsl.com>; Sat, 6 Apr 2013 09:35:15 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id E270C21F8BF0 for <radext@ietf.org>; Sat, 6 Apr 2013 09:35:14 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005878403@aspen.internal.iea-software.com>; Sat, 6 Apr 2013 09:35:14 -0700
Date: Sat, 06 Apr 2013 09:35:09 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <5160255B.40409@deployingradius.com>
Message-ID: <alpine.WNT.2.00.1304060913320.3988@SMURF>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <tslli8xnoms.fsf@mit.edu> <515ED047.3040200@deployingradius.com> <alpine.WNT.2.00.1304051020120.3988@SMURF> <5160255B.40409@deployingradius.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: Sam Hartman <hartmans@painless-security.com>, radext-chairs@tools.ietf.org, radext@ietf.org
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 16:35:15 -0000

On Sat, 6 Apr 2013, Alan DeKok wrote:

>> I don't think this will work for us.  This is data that people use to
>> flag/report possible new clients they should have known about, existing
>> clients with changed addresses and plain old configuration errors.

>  I don't see how that relates to what I said.  The text doesn't
> *prevent* you from flagging IP addresses, or warning an admin about
> packets from those IPs.

Requests from unknown IPs by itself is not useful.  Normally access to the 
RADIUS request (NAS-ID) often provides relevant clue.

>> It can be a configuration option, done conditionally within the context
>> protocol disambiguation or even a recommendation but not something
>> unconditionally required.

>  This is how RADIUS works today.  Clients are keyed by known IP.
> Changing that is not an option for RADIUS/UDP.

The comment above was in context of MUST requirement within text quoted. 
I'm not arguing the policy.. only MUST is too strong.  For example 
changing to SHOULD would be fine.

>> Suggest reversing this.  Have the client maintain the flag.  If DTLS
>> handshake has succeeded then client uses DTLS from then on for any
>> inquiries without the option of automatically falling back to UDP.

>  The draft already discusses a flag for the client.

I apologize for any misunderstanding.  The migration would be in the 
client rather than server.  They would both have flags but the automatic 
upgrade with memory to prevent downgrade would be handled at the client.

>> Servers would still maintain flag but it would only be a manually 
>> turned knob to indicate security level it is willing to accept.

>  The draft allows it to me administratively configured.

This appears to be restricted by the current text of the draft.  See the 
following from section 3.1.  The server MUST maintain the flag and 
description of "false" value mandates migration using MUST keyword.

    "RADIUS/DTLS servers MUST maintain a boolean "DTLS Required" flag for
    each client that indicates if it requires a client to use
    RADIUS/DTLS.  The interpretation of this flag is as follows. If the
    flag is "true" then the client supports RADIUS/DTLS, and all packets
    from that client MUST be processed as RADIUS/DTLS.  If the flag is
    "false", then the client supports RADIUS/UDP, but may still support
    RADIUS/DTLS. "

    "Once a RADIUS/DTLS server has established a DTLS session with a
    client that previously had the flag set to "false", the server MUST
    set the "DTLS Required" flag to "true".  This change requires all
    subsequent traffic from that client to use DTLS, and prevents
    bidding-down attacks."

regards,
Peter

v2.39.1 | Report a Bug | By Email | System Status