Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery
Stefan Winter <stefan.winter@restena.lu> Wed, 24 July 2013 14:50 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4426411E8108 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 07:50:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eD8kE7N5IxMA for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 07:50:02 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 7F17011E8221 for <radext@ietf.org>; Wed, 24 Jul 2013 07:48:37 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 2363010590 for <radext@ietf.org>; Wed, 24 Jul 2013 16:48:21 +0200 (CEST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 1543E1058C for <radext@ietf.org>; Wed, 24 Jul 2013 16:48:21 +0200 (CEST)
Message-ID: <51EFE930.9040903@restena.lu>
Date: Wed, 24 Jul 2013 16:48:16 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: radext@ietf.org
References: <88ACDECA21EE5B438CA26316163BC14C25D334A9@BASS.ad.clarku.edu> <51DD5683.3070202@restena.lu> <51DE5730.4080008@deployingradius.com> <51E545A6.6040008@restena.lu> <51E54C2E.80002@deployingradius.com> <51EFA72E.9050507@restena.lu> <51EFD6AD.9020006@deployingradius.com>
In-Reply-To: <51EFD6AD.9020006@deployingradius.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="hoJPtjfrgOPEH5O4jppqEJd9AVSPHFaNu"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2013 14:50:04 -0000
Hi, > I'm not sure. Maybe I'm missing something. If a proxy is about to > send radsec traffic for realm A to IP address B, can't it do a DNS > lookup on IP address B to see if realm A is listed? Well, if realmA (or anyone for that matter) wants to DoS proxy B, then it can also see which realms B actually serves (say, "therealrealm"), and publish an article stating "free net access for username@therealrealm". B would have an IP reverse with the indication that it *is* serving that realm - and the TLS connection would come up. The reverse IP check doesn't help with that. Besides that, I also don't like that an IP's reverse DNS lookup which is intended to provide a *host*name would now be re-used in the different semantics of providing a *realm*name. >> For a next rev of dynamicdiscovery, I've added the following paragraph >> for Security Considerations in my working copy: >> >> With Dynamic Discovery being enabled for a RADIUS Server, and >> depending on the deployment scenario, the server may need to open up >> its target IP address and port for the entire internet, because >> arbitrary clients may discover it as a target for their >> authentication requests. If such clients are not part of the roaming >> consortium, the RADIUS/TLS connection setup phase will fail (which is >> intended) but the computational cost for the connection attempt is >> significant. With the port for a TLS-based service open, the RADIUS >> server shares all the typical attack vectors for services based on >> TLS (such as HTTPS, SMTPS, ...). Deployments of RADIUS/TLS with >> Dynamic Discovery should consider these attack vectors and take >> appropriate counter-measures (e.g. blacklisting known-bad IPs on a >> firewall, rate-limiting new connection attempts, etc.). >> >> Is that okay for you? > > Yes. Okay, will be in -08. Greetings, Stefan Winter > > Alan DeKok. > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
- [radext] Fwd: Mail reguarding draft-ietf-radext-d… Stefan Winter
- [radext] Fwd: Re: Mail reguarding draft-ietf-rade… Stefan Winter
- [radext] Fwd: RE: Mail reguarding draft-ietf-rade… Stefan Winter
- Re: [radext] Fwd: RE: Mail reguarding draft-ietf-… Stefan Winter
- [radext] Fwd: RE: Fwd: RE: Mail reguarding draft-… Stefan Winter
- Re: [radext] Fwd: RE: Fwd: RE: Mail reguarding dr… Stefan Winter
- [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguardi… Stefan Winter
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Alan DeKok
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Stefan Winter
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Alan DeKok
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Stefan Winter
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Alan DeKok
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Stefan Winter
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Stefan Winter
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Sam Hartman
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Alan DeKok
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Alan DeKok
- Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail regu… Stefan Winter