Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
Stefan Winter <stefan.winter@restena.lu> Wed, 27 February 2013 15:19 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B829C21F867B for <radext@ietfa.amsl.com>; Wed, 27 Feb 2013 07:19:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.179
X-Spam-Level:
X-Spam-Status: No, score=-2.179 tagged_above=-999 required=5 tests=[AWL=-0.180, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RY9b4bEQvkYS for <radext@ietfa.amsl.com>; Wed, 27 Feb 2013 07:19:25 -0800 (PST)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id AAE6D21F858A for <radext@ietf.org>; Wed, 27 Feb 2013 07:19:20 -0800 (PST)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id B768110584 for <radext@ietf.org>; Wed, 27 Feb 2013 16:19:19 +0100 (CET)
Received: from [IPv6:2001:a18:1:8:c1a3:676a:f579:5714] (unknown [IPv6:2001:a18:1:8:c1a3:676a:f579:5714]) by smtprelay.restena.lu (Postfix) with ESMTPS id A1F4A1057F for <radext@ietf.org>; Wed, 27 Feb 2013 16:19:19 +0100 (CET)
Message-ID: <512E23F3.3000307@restena.lu>
Date: Wed, 27 Feb 2013 16:19:15 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: radext@ietf.org
References: <065.a122826c6d7c009295065142646863ee@trac.tools.ietf.org>
In-Reply-To: <065.a122826c6d7c009295065142646863ee@trac.tools.ietf.org>
X-Enigmail-Version: 1.5
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="----enig2FNMKGLVDKSCDQIOPVVLP"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2013 15:19:26 -0000
On your issue about TLS / Certs / DANE > 4) I find the security considerations to be completely inadequate for this > document. > Use of a certificate is only going to be valid if the original realm name > that is the input the validation routine is what is found and matched in > the certificate. In this case I would not know where in the name or alt > name fields of the certificate it would be found. You cannot validate to > the final DNS name as that is now an untrusted value. That's correct; in eduroam, we've settled for a good-enough solution and deploy with that: certificates need to come from an agreed set of CAs and carry a common policy OID which stands for "this is a valid eduroam IdP" (and there's a second OID for "valid hotspot" for the other side of the mutual TLS auth). In combination with DNSSEC, that gives trusted results for the entire validation process. With DNS (no SEC), a holder of a eduroam IdP certificate could manipulate another realm's DNS to point to his own server; i.e. he, as an accredited member of the consortium, could steal another member's Access-Requests and the dynamic discovery infrastructure wouldn't notice. While that's suboptimal, we found that to be a reasonable tradeoff, partly because the atmosphere inside the consortium is not at all hostile, but also because such a hijacking would still be noticed by the wrong EAP termination and the supplicant complaining about an unexpected EAP server presenting a unexpected server-side credential. That is a decision for a deployer of the algorithm to make though: the security considerations say that it's only safe with DNSSEC - which is true; every deployer is free to draw his own consequences from that. > The suggestion of out-of-band validation methods ignores the existence of > DANE. (Preface: I may very well be very mistaken about aspects of DANE. Please do correct me if I'm wrong!) We've investigated the opportunities of DANE and it seems much rather like: DANE ignores the possibility that TLS handshakes can be mutual. Which is a bummer for things like RADIUS/TLS which /require/ mutual auth. The problem is that only one side of the job can be done with DANE: there's a an input to be looked up in DNS, and that input can also be used to look up TLSA records for use in the later TLS handshake. However, as soon as the TLS server presented his credential and the client has verified that this is what is expected, the TLS client sends his own TLS credential - with no DNS involved whatsoever. It is unclear to me what the server-side end would do with the incoming data, and where/how in the DNS tree it would verify that the incoming credential matches its expectations and that the connecting client is authorised as part-of-the-club. It's not like it's impossible; I could sketch a way how this potentially might work: - client is required to have a CN or SAN:DNS pointing to an "accredited hotspot" DNS tree; like CN=restena.lu.hotspot.consortium.com; - server does TLSA lookup of that CN (and only if suffix is indeed "hotspot.consortium.com"); if it finds matching data, establish TLS connection - DNS domain hotspot.consortium.com is maintained as a registry of authorised clients, delegated to sub-branches as needed But unless I'm mistaken, none of this is written in the DANE specs. I would find it inadequate for the dynamic discovery document to make up lots of rules on implementing DANE-like things. If there were a document which specifies client-cert validation with DANE, it would be perfectly fine to add a pointer to that though. > The NAI document suggests that the RADIUS peer is pre-configured with > information about certificates or TLS validation data. The suggested text > works in the case that the table says do dynamic lookup and here is the > TLS configuration data. But in other cases it is completely unclear how a > TLS-PSK would be found for a dynamic lookup. I'd say: unless ABFAB people want to have text about the dynamic negotiation of TLS-PSK keying material with this algorithm (some ABFABs are known to read the radext list :-) ), I'd feel inclined to write that PSK cipher suites are not appropriate for use with DNS-based dynamic discovery. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
- [radext] #148: Review of dynamic-discovery by Jim… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jouni Korhonen
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker