[radext] Re: Proposed Security Considerations Text

Alan DeKok <aland@deployingradius.com> Wed, 31 July 2024 01:27 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37AB4C180B7D for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 18:27:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3G-y3C5pJ4nv for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 18:26:56 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAF10C180B71 for <radext@ietf.org>; Tue, 30 Jul 2024 18:26:31 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-232.cpe.pppoe.ca [135.23.95.232]) by mail.networkradius.com (Postfix) with ESMTPSA id E8922177; Wed, 31 Jul 2024 01:26:28 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <D11A041B-99E4-4886-99C6-6A410D85B908@gmail.com>
Date: Tue, 30 Jul 2024 21:26:27 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA5854AF-3555-46BE-A25D-29193DFCA6A8@deployingradius.com>
References: <D11A041B-99E4-4886-99C6-6A410D85B908@gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: K5MZ6PKRRT4QDSVMG22GDXYIOJDEVS4S
X-Message-ID-Hash: K5MZ6PKRRT4QDSVMG22GDXYIOJDEVS4S
X-MailFrom: aland@deployingradius.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Proposed Security Considerations Text
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/JqKXETSBAuEq1Krl6rDOOtTMKiM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

On Jul 26, 2024, at 3:56 PM, Margaret Cullen <mrcullen42@gmail.com> wrote:
> X.1		Security implications of well-known “secret” value 
> 
> In addition to defining how a single RADIUS message transmitted over (D)TLS, this document specifies that the RADIUS “secret” value will be hard-coded to one of two well-known values (“radsec” of “radsec/dtls”).  The “secret” value is used for several things in RADIUS/UDP:
> 
> - authentication of a RADIUS peer,
> - authorization of a RADIUS peer to assume a particular role (client, server, CoA sender, etc.)
> - integrity protection of the message contents, and 
> - hiding sensitive data in a RADIUS messages

  I don't agree with item 2.  The authorization of a system has little to do with the secret.

  i.e. systems usually have a set of data associated with a client to server relationship:

	IP address (client or server)
	shared secret
	purpose of this connection (Access-Request, Accounting-Request, etc).

  When a packet is received by a server, the source IP is used to look up the associated tuple.  Then packets which are not authorized are dropped, even if they can be authenticated.  So the secret isn't necessarily involved here.

  The secret is used to:

* authenticate packets received from a peer
* verify per-packet integrity checks
* obfuscate sensitive data


> X.1.1 	Authentication and Authorization of a RADIUS Peer
> 
> When a RADIUS/UDP message is received, the “secret” value and the remote IP address are used to authenticate the RADIUS peer.  Once the peer has been authenticated, the RADIUS server will look up the configured policy for that peer, and determine whether the peer is authorized to send the type of message that was just received.  Assuming authentication and authorization are successful, the RADIUS server will process the message.  Otherwise, it will be discarded.  Each RADIUS message is separately authenticated and authorized as it is received.

  But the "peer" is never authenticated.  Instead, each individual packet is authenticated.  Perhaps:


  When a RADIUS/UDP message is received, the remote IP address is used to verify that the packet is coming from a known peer.  The IP address is also used to look up the shared secret associated with this peer.  Other information may be associated with the peer, such as a set of packet codes which the receiving system is prepared to accept.  For example, a server may accept only Access-Request packets on port 1812, but not accept Accounting-Request packets on that port.  Similarly, a client will access Access-Accept from the server in response to an Access-Request, but will not accept an Accounting-Request response for that Access-Request.

  If the packet is from a known peer and passes any authorization checks, the shared secret is used to authenticate the packet.  Packets which fail authentication are silently discarded.  Packets which pass authentication are processed according to local site policies.

  The process for RADIUS/TCP is similar, except that the peer IP address is only checked on the initial TCP connection.  After that, the shared secret and any authorization rules are associated with that connection, and are checked as described above.

  For RADIUS/(D)TLS, the connection is authenticated as part of TLS session establishment.  Connections which fail authentication are closed, and no RADIUS traffic passes.  Peers can be authenticated via certificates, via a PSK, or by any other method supported by TLS.  RADIUS/(D)TLS imposes no restrictions on TLS authentication methods.

  Once a (D)TLS session is established, the peer identity (not peer IP) is used to find any associated authorization policies.  RADIUS traffic received over a (D)TLS connection then follows the above process for which kinds of packets will be accepted, and how those packets will be processed.

  The result of this design is that the processing of individual packets (e.g. Access-Accept) is essentially independent of the transport protocol.  The transport protocol may permit only certain peers to connect, or it may permit only certain kinds of packets to pass any authorization rules.  However, once a peer has determined that it will accept a packet, further packet processing is independent of any transport protocol.  For example, User-Name and User-Password validations can be performed without using knowledge of the underlying transport in which those attributes were received.

> [Note:  We should probably also have something in the normative part of the RADIUS/(D)TLS document that explains what a RADIUS implementation should do, when RADIUS is run over (D)TLS, anywhere that RADIUS/UDP and/or other RADIUS-adjacent specifications (such as the CoA documents) indicate that implementations should “check the secret” for any reason, as that is not a useful thing to do in RADIUS/(D)TLS.]

  While 6614 and 7360 use a fixed shared secret, the pre-existing rules still apply.  i.e. discarding packets which fail validation.  The only difference is that it's likely best to close the TLS session, too, if the shared secret is wrong.

> X.1.2 	Integrity protection of messages
> 
> X.1.3	Hiding sensitive data in RADIUS message

  TLS does those, we don't need to do much more than mention it.

> X.2	Security implications of connection-based vs. per-packet authentication and authorization

  I don't think there's much to say here?  Q's message also covers this.

  There's only one difference I can see between "authorized client" checking either per-message, or once at the start of a connection.  That difference is what to do when the "authorized client" configuration changes.

  For per-message checks, the new configuration is applied to the next received message.  For per-connection checks, there is now a choice for existing connections:

a) keep the existing connection up, and ignore the configuration change

b) double-check the existing connection against the new "authorized client" rules.  If pass, do nothing, otherwise close the connection

c) always close the connection, and make clients reconnect using the new authorization rules.

  There are good arguments for all 3 of these behaviours.

> 
> X.3	Explanation of why TLS channel binding is not needed in RADIUS/(D)TLS

  I agree with Q here: channel bindings offer no additional security.

  If we did add TLS channel bindings, we would have to somehow glue that into the RADIUS packets inside of the tunnel.  i.e. mandating connections start with Status-Server with channel binding.

  This would create additional complexity for no additional benefit.

  Alan DeKok.