IETF Logo Mail Archive

Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery

Stefan Winter <stefan.winter@restena.lu> Wed, 24 July 2013 14:50 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4426411E8108 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 07:50:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eD8kE7N5IxMA for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 07:50:02 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 7F17011E8221 for <radext@ietf.org>; Wed, 24 Jul 2013 07:48:37 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 2363010590 for <radext@ietf.org>; Wed, 24 Jul 2013 16:48:21 +0200 (CEST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 1543E1058C for <radext@ietf.org>; Wed, 24 Jul 2013 16:48:21 +0200 (CEST)
Message-ID: <51EFE930.9040903@restena.lu>
Date: Wed, 24 Jul 2013 16:48:16 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: radext@ietf.org
References: <88ACDECA21EE5B438CA26316163BC14C25D334A9@BASS.ad.clarku.edu> <51DD5683.3070202@restena.lu> <51DE5730.4080008@deployingradius.com> <51E545A6.6040008@restena.lu> <51E54C2E.80002@deployingradius.com> <51EFA72E.9050507@restena.lu> <51EFD6AD.9020006@deployingradius.com>
In-Reply-To: <51EFD6AD.9020006@deployingradius.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="hoJPtjfrgOPEH5O4jppqEJd9AVSPHFaNu"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2013 14:50:04 -0000

Hi,

>   I'm not sure.  Maybe I'm missing something.  If a proxy is about to
> send radsec traffic for realm A to IP address B, can't it do a DNS
> lookup on IP address B to see if realm A is listed?

Well, if realmA (or anyone for that matter) wants to DoS proxy B, then
it can also see which realms B actually serves (say, "therealrealm"),
and publish an article stating "free net access for username@therealrealm".

B would have an IP reverse with the indication that it *is* serving that
realm - and the TLS connection would come up. The reverse IP check
doesn't help with that.

Besides that, I also don't like that an IP's reverse DNS lookup which is
intended to provide a *host*name would now be re-used in the different
semantics of providing a *realm*name.

>> For a next rev of dynamicdiscovery, I've added the following paragraph
>> for Security Considerations in my working copy:
>>
>>    With Dynamic Discovery being enabled for a RADIUS Server, and
>>    depending on the deployment scenario, the server may need to open up
>>    its target IP address and port for the entire internet, because
>>    arbitrary clients may discover it as a target for their
>>    authentication requests.  If such clients are not part of the roaming
>>    consortium, the RADIUS/TLS connection setup phase will fail (which is
>>    intended) but the computational cost for the connection attempt is
>>    significant.  With the port for a TLS-based service open, the RADIUS
>>    server shares all the typical attack vectors for services based on
>>    TLS (such as HTTPS, SMTPS, ...).  Deployments of RADIUS/TLS with
>>    Dynamic Discovery should consider these attack vectors and take
>>    appropriate counter-measures (e.g. blacklisting known-bad IPs on a
>>    firewall, rate-limiting new connection attempts, etc.).
>>
>> Is that okay for you?
> 
>   Yes.

Okay, will be in -08.

Greetings,

Stefan Winter

> 
>   Alan DeKok.
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

v2.23.0 | Report a Bug | By Email