[radext] Re: Proposed Security Considerations Text

Q Misell <q@as207960.net> Tue, 30 July 2024 07:37 UTC

Return-Path: <q@as207960.net>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2BAC14F69F for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 00:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4oSPgfiRmmwg for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 00:37:08 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51EE1C14F682 for <radext@ietf.org>; Tue, 30 Jul 2024 00:37:07 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-5a167b9df7eso6972641a12.3 for <radext@ietf.org>; Tue, 30 Jul 2024 00:37:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1722325026; x=1722929826; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=c0Okfu1OSdiBPX9KAva8/6leynzZfXYyxr6jHndLjDs=; b=RU5UPDSUYS+k0whGsx7Bbh1yTEGM9axpGtvfnk3IE6d7y/3xVKilN29/jR7oe6C1Ka zVomg5RyoOsJDCVu0e/HBjztLqZFa0RyjQZekut0a9rxMiO2YqJbQxkIGdQieRSBBwCi fhYEqRzxFOCzMQm5Qs5EEeOMN8gaEdV59umJxd1MCUMF/MNKstVD4WO1zzANgfvynDSj RblO+DBr3DecFTLnW2iGXU7fAGnC8YhxNSCeAwoij37llqMmy8bwfNkMrQoZ1Jr1E6a9 t2NYp/PXta48LYXf8MzE5BCy1NRo+CCxeb4YFTM5EBhdCxdgeUSJvOOffiQAuSV8pbRm cZ7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722325026; x=1722929826; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=c0Okfu1OSdiBPX9KAva8/6leynzZfXYyxr6jHndLjDs=; b=d3neCRlAref9HlnzqAow1gOGRdqgP0KKbEO+hIJI645+9036mft4dmFFyfZ1k0rs+F dGXxdxzcPF3XC24buOkL7k3VZe4OUq49Znsyyrcw+njF5c/OmC+xD+Mbb3sC1xX4fRO0 riTEae8jrcL7GKp+fmZoe9sO/OjmU4iiLPc1x9KDLvBnFkG6hWCqeJCxsTFE3s6T5535 L8pbwRopKd9BtItUB+XMfUDmBK77dUfNjs6CdSGRloFCD4Ab8uQgEA2jxsm2NdtcWIKG C/kLTbvLOeGRi1OjYNvvJmqC260E99ebbzpLiEFqY0S3hRIAZGIhbhzzAqE+/Arw6gp7 33zw==
X-Gm-Message-State: AOJu0Yz+W3x11NeAxHcuxoVsORQq5GTZc3GDcDuoO4WpPlVhBmlpD80m QRy+FObcm/+wbAqz/2AevI2ofZWby9dmgP7NX4ciGM4trLO8C0IJYu8HFe+orScHMZgfqrz7oGE 3Z0OmTCnjAmckyCNuW7r1d5tfxhEcFxd8OqBB5RFyuJrCciT3eXbYA+9U+hFkRQ==
X-Google-Smtp-Source: AGHT+IFd1jMEPZ2HFUlVOmWgOuSauW1Z3RaRTVRMvwP6HMrpLVjgaEDWDt6IUXoxS8qVhtf19KsYb7V1SVxmRFTz5o4=
X-Received: by 2002:a50:cc99:0:b0:5a2:84e2:c88a with SMTP id 4fb4d7f45d1cf-5b0205d5e37mr6484261a12.12.1722325026069; Tue, 30 Jul 2024 00:37:06 -0700 (PDT)
MIME-Version: 1.0
References: <D11A041B-99E4-4886-99C6-6A410D85B908@gmail.com>
In-Reply-To: <D11A041B-99E4-4886-99C6-6A410D85B908@gmail.com>
From: Q Misell <q@as207960.net>
Date: Tue, 30 Jul 2024 09:36:30 +0200
Message-ID: <CAMEWqGsReaLQKts9mnBr_5t0SWhaT2c0qir2Fk02Y=Rr_9FVtQ@mail.gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000005dfb86061e720b50"
Message-ID-Hash: 7YNJVEYPNNBWDKR6UGNFKQMRUVPRFLG5
X-Message-ID-Hash: 7YNJVEYPNNBWDKR6UGNFKQMRUVPRFLG5
X-MailFrom: q@as207960.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Proposed Security Considerations Text
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/K6_g3gdmiPrZfTP9LTvrbWi-7kY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

Moin,

> When certificates are used, TLS authentication is established by the fact
that a peer has a current, valid, unrevoked certificate where the value in
<what field?> matches <what value?>. How will the RADIUS layer determine
the identity of the connected peer, so that authorization can be performed?

This should reference RFC 9525 as an informative reference. Exactly how a
certificate is matched to an identity is local policy, but RFC 9525
provides some guidance on how someone might want to do that.

>  Integrity protection of messages

(D)TLS already provides strong integrity protection, there's no need to
reinvent the wheel, we'll probably get it wrong. The burden of integrity
protection can be removed entirely from the RADIUS layer.

> Hiding sensitive data in RADIUS message

Again, this a problem for (D)TLS, not RADIUS. We probably don't even need
to do the whole User-Password encryption dance, but I accept removing that
creates other problems elsewhere.

> Security implications of connection-based vs. per-packet authentication
and authorization

This one I'm less sure about. At the very least I think we need a note
about time of check vs time of use here.
With per-packet auth the access permissions of the client are checked on
every message; with per connection auth its possible that an implementer
would check access once at the start.
If the access of a client is changed or revoked during a session such an
implementer would then still allow the client to transact under its
original access permissions.
It is exceedingly unlikely (impossible?) for client identity to change
during a session, so I think checking that once at the start is fine.
We should therefore say that an implementer should check access permissions
on every message, or at least periodically during the session.

>  Explanation of why TLS channel binding is not needed in RADIUS/(D)TLS

Suggested text:
RADIUS is an inherently hop-by-hop protocol in current deployments, and it
is expected that hops make modifications to RADIUS messages as they process
and forward them.
Channel binding (e.g. using TLS Exporter Keys) provides little to no value
in this scenario and is therefore not implemented in RADIUS over (D)TLS.
------------------------------

Any statements contained in this email are personal to the author and are
not necessarily the statements of the company unless specifically stated.
AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
registered in Wales under № 12417574
<https://find-and-update.company-information.service.gov.uk/company/12417574>,
LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876
<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU
VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №:
522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru
maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca
Digital, is a company registered in Estonia under № 16755226. Estonian VAT
№: EE102625532. Glauca Digital and the Glauca logo are registered
trademarks in the UK, under № UK00003718474 and № UK00003718468,
respectively.


On Fri, 26 Jul 2024 at 21:56, Margaret Cullen <mrcullen42@gmail.com> wrote:

> [I am sending this message incomplete because the WG meeting is now…. I
> will pick it up again and add more on the way home or over the weekend.
> Contributions very welcome!]
>
>
> Hi All,
>
> I am working on additional Security Considerations text for RADIUS/(D)TLS
> to capture the discussion we have been having for  the past couple of
> days.  Please note that I have written this text as though the text of the
> TLS-PSK document were included in RADIUS/(D)TLS, as we previously
> established WG consensus to incorporate it.
>
> There are some places below where I need help knowing what to say…. Either
> because I lack specific knowledge or because I am unsure of how certain
> things will work.
>
> Please help!
>
> —
>
> X.1             Security implications of well-known “secret” value
>
> In addition to defining how a single RADIUS message transmitted over
> (D)TLS, this document specifies that the RADIUS “secret” value will be
> hard-coded to one of two well-known values (“radsec” of “radsec/dtls”).
> The “secret” value is used for several things in RADIUS/UDP:
>
> - authentication of a RADIUS peer,
> - authorization of a RADIUS peer to assume a particular role (client,
> server, CoA sender, etc.)
> - integrity protection of the message contents, and
> - hiding sensitive data in a RADIUS messages
>
> X.1.1   Authentication and Authorization of a RADIUS Peer
>
> When a RADIUS/UDP message is received, the “secret” value and the remote
> IP address are used to authenticate the RADIUS peer.  Once the peer has
> been authenticated, the RADIUS server will look up the configured policy
> for that peer, and determine whether the peer is authorized to send the
> type of message that was just received.  Assuming authentication and
> authorization are successful, the RADIUS server will process the message.
> Otherwise, it will be discarded.  Each RADIUS message is separately
> authenticated and authorized as it is received.
>
> In RADIUS/(D)TLS, a peer is authenticated as part of TLS session
> establishment, because a TLS connection will not be established unless the
> peer has acceptable credentials.  When certificates are used, TLS
> authentication is established by the fact that a peer has a current, valid,
> unrevoked certificate where the value in <what field?> matches <what
> value?>.  When (D)TLS-PSK is used, TLS authentication is established when
> the peer has a PSK value that matches the PSK configured in the TLS
> configuration in use by RADIUS.  When a TLS connection has been
> established, the RADIUS layer will infer that authentication has been
> successful, .  How will be RADIUS layer determine the identity of the
> connected peer, so that authorization can be performed?
>
> [Note:  We should probably also have something in the normative part of
> the RADIUS/(D)TLS document that explains what a RADIUS implementation
> should do, when RADIUS is run over (D)TLS, anywhere that RADIUS/UDP and/or
> other RADIUS-adjacent specifications (such as the CoA documents) indicate
> that implementations should “check the secret” for any reason, as that is
> not a useful thing to do in RADIUS/(D)TLS.]
>
> X.1.2   Integrity protection of messages
>
> X.1.3   Hiding sensitive data in RADIUS message
>
> X.2     Security implications of connection-based vs. per-packet
> authentication and authorization
>
>
> X.3     Explanation of why TLS channel binding is not needed in
> RADIUS/(D)TLS
>
> —
> Anything to contribute to the above text? Any thoughts or questions?
>
> Thank you in advance for your help,
> Margaret
>
>
>
>
>
>
> .
> _______________________________________________
> radext mailing list -- radext@ietf.org
> To unsubscribe send an email to radext-leave@ietf.org
>