IETF Logo Mail Archive

Re: [radext] Adam Roach's Discuss on draft-ietf-radext-coa-proxy-05: (with DISCUSS and COMMENT)

Adam Roach <adam@nostrum.com> Tue, 14 August 2018 13:43 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7061130E98; Tue, 14 Aug 2018 06:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id isi2bHqzEkDN; Tue, 14 Aug 2018 06:43:49 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38C9E12F1A6; Tue, 14 Aug 2018 06:43:49 -0700 (PDT)
Received: from Orochi.local (c-73-206-50-7.hsd1.tx.comcast.net [73.206.50.7]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w7EDhNHl030901 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 14 Aug 2018 08:43:24 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host c-73-206-50-7.hsd1.tx.comcast.net [73.206.50.7] claimed to be Orochi.local
To: Alan DeKok <aland@deployingradius.com>
Cc: Winter Stefan <stefan.winter@restena.lu>, radext@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-radext-coa-proxy@ietf.org, radext-chairs@ietf.org
References: <153421241151.25112.5942779659969287406.idtracker@ietfa.amsl.com> <DCBC0F8A-E486-4844-8C7A-CCDEBD41A0E4@deployingradius.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <0d9cc14c-d065-87fa-5ea1-f76fde1c9c2f@nostrum.com>
Date: Tue, 14 Aug 2018 08:43:23 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <DCBC0F8A-E486-4844-8C7A-CCDEBD41A0E4@deployingradius.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/DT6Z-O1rvkTZ8eJwgGHpQFPcmPw>
Subject: Re: [radext] Adam Roach's Discuss on draft-ietf-radext-coa-proxy-05: (with DISCUSS and COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2018 13:43:51 -0000

On 8/14/18 08:02, Alan DeKok wrote:
> On Aug 13, 2018, at 10:06 PM, Adam Roach <adam@nostrum.com> wrote:
>> This is a concern with the general mechanism, and might be due to a
>> misunderstanding on my part (which I hope you can clear up); but if I'm not
>> wrong, then I'm concerned that the mechanism as described can introduce RADIUS
>> message routing loops in some very common deployment scenarios.
>    I don't think so, for the simple reason that clearing houses don't accept CoA packets right now.
>
>    There are other reasons.

Thanks. This (and the rest of your explanation) makes sense.

>>> The value SHOULD be cryptographically strong, and SHOULD be
>>> verifiable by the Visited Network, without requiring it to track in a
>>> database every individual value of Operator-NAS-identifier which was
>>> issued.
>> I don't think this is really phrased in a way that means what you want to say.
>> If I had to guess, you mean to say that the value must be encrypted, and that it
>> must be integrity-protected. If integrity protection is important, then you also
>> need to consider techniques to avoid replay of previously-seen tokens
>    Why is replay an issue?  The point of obfuscating the information is to hide internal / private information about the network.  e.g. private IP of the NAS.

Generally, when integrity is important, so is anti-replay. If you care 
that remote parties can't create their own novel values, it would be 
surprising not to care about them squirreling away values they've seen 
before and using them later. Conversely, if you don't care about replay, 
you probably need to think really hard about why you care about integrity.

Of course, it's completely possible that I'm misunderstanding what you 
mean by "verifiable" in the original text (which gets to the heart of my 
original comment: there are terms of art for the properties that 
cryptography provides, and you really want to use them for the purpose 
of clarity.)

>    If a home server replays a previously-seen token, then one of two things will happen:
>
> - the packet will go to the NAS which hosts the user session, and will be processed normally
>
> - the packet will go to a different NAS, and will be NAKd

Sure. If that's the answer, then it seems like it's the same answer if 
the home server creates a new, invalid token; and that would mean that 
integrity isn't needed.

I'm afraid you need to go back and figure out what your actual security 
requirements are here by asking what attacks might exist, and what their 
consequences are. The current text seems to be kind of an afterthought 
without any real analysis.

>
>> (e.g., the
>> integrity protection needs to be over not just the Operator-NAS-Identifier,
>> but also over some portion of the session that prevents its replay). Most
>> notably, this desire for encryption and integrity protection is almost
>> certainly at odds with the assertion (in §3.3) that "A twenty octet string is
>> more than sufficient to individually address all of the NASes on the planet."
>> For example, the naïve approach of appending a SHA-256 hash to the end of an
>> encrypted, salted index into a table of NAS devices would require over 32 bytes
>> at its absolute minimum. So, if integrity protection is something that any
>> operator might ever want, you need to revisit the 20-byte limit.
>    32 bytes is fine.  I'll update that.

Sorry, by "more than 32 bytes," I meant that the hash itself would take 
32 bytes. You'd also have however long the Visited domain's identifier 
for the NAS is (which you originally thought would take 20 bytes), plus 
some number of nonce bytes (to prevent other networks from simply 
counting unique token values). You're really looking at more like 96 
bytes or so.

Note that this gets somewhat smaller if integrity protection isn't 
important.

>>> Other methods are
>>> possible, but we restrict ourselves to this usage, as it is the most
>>> common one.
>> This needs to be clear whether the *description* is restricted to NAI-based
>> routing, or whether the *mechanism* is. I suspect it's the former; in any case,
>> please add text.
>    This spec documents NAI-based CoA proxying.  Other methods can be used, but aren't discussed here.
>
>    The mechanism for discovering next hop is specific to NAI-based proxying.

Okay; make this clearer, please.

Thanks!

/a

v2.23.0 | Report a Bug | By Email