Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
"Jim Schaad" <ietf@augustcellars.com> Mon, 01 July 2013 20:32 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1FFD11E8279 for <radext@ietfa.amsl.com>; Mon, 1 Jul 2013 13:32:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zH1xLV4WyTrV for <radext@ietfa.amsl.com>; Mon, 1 Jul 2013 13:32:49 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 835AB11E8254 for <radext@ietf.org>; Mon, 1 Jul 2013 13:32:49 -0700 (PDT)
Received: from Philemon (173-8-216-38-Oregon.hfc.comcastbusiness.net [173.8.216.38]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 775072CA22; Mon, 1 Jul 2013 13:32:48 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: radext@ietf.org, draft-ietf-radext-dynamic-discovery@tools.ietf.org, stefan.winter@restena.lu
References: <065.a122826c6d7c009295065142646863ee@trac.tools.ietf.org> <080.a349ae9f35fd5ba78c6dfd60a52a8535@trac.tools.ietf.org>
In-Reply-To: <080.a349ae9f35fd5ba78c6dfd60a52a8535@trac.tools.ietf.org>
Date: Mon, 01 Jul 2013 13:31:51 -0700
Message-ID: <011401ce769a$050f8f30$0f2ead90$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG6BiECksJl4xbIhvfkRt9hc11tPgCYwaGXmXRcQgA=
Content-Language: en-us
Subject: Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2013 20:32:56 -0000
> -----Original Message----- > From: radext-bounces@ietf.org [mailto:radext-bounces@ietf.org] On Behalf > Of radext issue tracker > Sent: Wednesday, June 26, 2013 6:16 AM > To: draft-ietf-radext-dynamic-discovery@tools.ietf.org; > stefan.winter@restena.lu > Cc: radext@ietf.org > Subject: Re: [radext] #148: Review of dynamic-discovery by Jim Schaad > > #148: Review of dynamic-discovery by Jim Schaad > > > Comment (by stefan.winter@restena.lu): > > > 1) In section 2.3.3, step 4 - what is to be considered an error at this point. > For example, there are a number of odd conditions that can be returned > from DNSSEC, specifically the "indeterminate" state. > > I've added text in my working copy which white-lists two sorts of replies as > good, and everything else as an error. Hope that is adequate and removes > all ambiguity: > > "2.3.3. Definitions > > Where the algorithm states "name resolution returns with an error", > this shall mean that either the DNS request timed out, or every > response except a) the RR queried for and b) the positive > acknowledgement that the record queried for does not exist (i.e. > status: NXDOMAIN)." I wish I knew enough DNSSEC to say for sure, however this is a good step in the right direction. > > > 2) In section 2.3.4 - Given that the above algorithm does not return a TTL > value in the event of an empty set or define how to know the TTL value > - what is the TTL value to be used in in paragraph 2 "negative TTL"? > > I'll have to modify the return value to be a tuple with the second element > being the place to put a negative TTL into (either as learned from an > NXDOMAIN reply or configured in case of an absence of any reply). I'll keep > this TRAC ticket open for this sub-issue. > > > 3) In section 2.3.5 - Does it make sense to return a result, but to continue > the algorithm and store the result after the timeouts for later use? > > We discussed this in the last meeting. It's generally a bad idea (end- users > can enter bogus DNS data and DoS the server by trying to login with > corresponding realms). An implementation could be brave and do that > anyway, so I've added text to Security Considerations explaining the issues > with it. Implementations can then do a judgment call whether they want to > take this risk. The text is: > > " The algorithm has a fixed completion time-out of three seconds. > Implementations might be tempted to continue their attempt to resolve > DNS records even after the timeout has passed; a subsequent request > for the same realm might benefit from retrieving the results anyway. > Doing so exposes the server to a Denial-of-Service risk: an attacker > might intentionally craft bogus DNS zones which take a very long time > to reply (e.g. due to a particularly byzantine tree structure, or > artificial delays in responses). If an attacker generates enough > Access-Requests for a number of such zones, it may deplete server > sockets or other server resources." I am not sure that the DOS risk would be significantly larger between a 3 and a 6 second time out. It would just require half as many requests. A better way of addressing the specific problem you have shown here would involve black-listing of DNS queries and I don't see anything in this text or the algorithm which talks about doing black listing of any type. > > > 4) I find the security considerations to be completely inadequate for this > document. > > Use of a certificate is only going to be valid if the original realm name > that is the input the validation routine is what is found and matched in the > certificate. In this case I would not know where in the name or alt name > fields of the certificate it would be found. You cannot validate to the final > DNS name as that is now an untrusted value. > > We discussed on the list that an MTI validation mechanism which works in > the absence of DNSSEC is needed (sigh!). I'll work on corresponding text > soon. I'll keep this TRAC ticket open until the text is ready. > > > The suggestion of out-of-band validation methods ignores the existence > of DANE. > > > > The NAI document suggests that the RADIUS peer is pre-configured with > information about certificates or TLS validation data. The suggested text > works in the case that the table says do dynamic lookup and here is the TLS > configuration data. But in other cases it is completely unclear how a TLS- > PSK would be found for a dynamic lookup. > > These were both discussed on the list; DANE is clumsy/not usable in its > current state; TLS-PSK is not in scope for this document. Great - please state this in the introduction material Jim > > Greetings, > > Stefan Winter > > -- > -------------------------------------+---------------------------------- > -------------------------------------+--- > Reporter: | Owner: draft-ietf-radext- > stefan.winter@restena.lu | dynamic-discovery@tools.ietf.org > Type: defect | Status: new > Priority: major | Milestone: milestone1 > Component: dynamic-discovery | Version: 1.0 > Severity: - | Resolution: > Keywords: | > -------------------------------------+---------------------------------- > -------------------------------------+--- > > Ticket URL: > <http://trac.tools.ietf.org/wg/radext/trac/ticket/148#comment:1> > radext <http://tools.ietf.org/radext/> > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext
- [radext] #148: Review of dynamic-discovery by Jim… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jouni Korhonen
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker