IETF Logo Mail Archive

[radext] Question about CoA-Request and Tunnel-Password

Alan DeKok <aland@deployingradius.com> Tue, 09 May 2017 15:59 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72C8512E059 for <radext@ietfa.amsl.com>; Tue, 9 May 2017 08:59:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDsmw1lhtpzT for <radext@ietfa.amsl.com>; Tue, 9 May 2017 08:59:38 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 8E97B126C22 for <radext@ietf.org>; Tue, 9 May 2017 08:59:38 -0700 (PDT)
Received: from [192.168.20.197] (CPEf4cc552207f0-CM00fc8dce0fa0.cpe.net.cable.rogers.com [99.230.129.191]) by mail.networkradius.com (Postfix) with ESMTPSA id 6685637F for <radext@ietf.org>; Tue, 9 May 2017 15:59:37 +0000 (UTC)
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <BBF30238-4DBC-4793-898B-7DE1BE13ED6C@deployingradius.com>
Date: Tue, 09 May 2017 11:59:35 -0400
To: radext@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/OcSEO0bS914vlXR7-BrjZlpu2lI>
Subject: [radext] Question about CoA-Request and Tunnel-Password
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 15:59:40 -0000

  I think there's an issue with CoA-Request and Tunnel-Password

  RFC 5176 Section 2.3 says:

      Request Authenticator

         In Request packets, the Authenticator value is a 16-octet MD5
         [RFC1321] checksum, called the Request Authenticator.  The
         Request Authenticator is calculated the same way as for an
         Accounting-Request, specified in [RFC2866].

  Where RFC 2866 Section 3 says:

      The NAS and RADIUS accounting server share a secret.  The Request
      Authenticator field in Accounting-Request packets contains a one-
      way MD5 hash calculated over a stream of octets consisting of the
      Code + Identifier + Length + 16 zero octets + request attributes +
      shared secret (where + indicates concatenation).  The 16 octet MD5
      hash value is stored in the Authenticator field of the
      Accounting-Request packet.

    This means that for CoA-Request packets, all attribute obfuscation is calculated with the Reply Authenticator being all zeroes.

  RFC 5176 Section 3.6 allows for Tunnel-Password in CoA-Request packets:

   ...
   Change-of-Authorization Messages

   Request   ACK      NAK   #   Attribute
   ...
   0+        0        0    69   Tunnel-Password (Note 5)
   ...
   (Note 5) When included within a CoA-Request, these attributes
   represent an authorization change request.  Where tunnel attributes
   are included within a successful CoA-Request, all existing tunnel
   attributes are removed and replaced by the new attribute(s).


  However, RFC 2868 Section 3.5 says that Tunnel-Password is encrypted with the Request Authenticator:

   ...
         Call the shared secret S, the pseudo-random 128-bit Request
         Authenticator (from the corresponding Access-Request packet) R,
  ...

  The assumption that the Request Authenticator is random data is true for Access-Request packets.  It's not true for CoA-Request packets

  i.e. when the Tunnel-Password attribute is used in CoA-Request packets, the *only* randomness in the encryption is the salt.  Again, RFC 2868 Section 3.5 says:

   Salt
      The Salt field is two octets in length and is used to ensure the
      uniqueness of the encryption key used to encrypt each instance of
      the Tunnel-Password attribute occurring in a given Access-Accept
      packet.  The most significant bit (leftmost) of the Salt field
      MUST be set (1).  The contents of each Salt field in a given
      Access-Accept packet MUST be unique.
 

  Which means that there's only 15 bits of entropy in the Tunnel-Password obfuscation (plus the secret).

  I don't think this is a serious issue, given that the secret is used to obfuscate the Tunnel-Password.  But it can't be a good thing.

  Since this hasn't been brought up before in RADEXT, I thought I'd make a note.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email