[radext] Question about CoA-Request and Tunnel-Password
Alan DeKok <aland@deployingradius.com> Tue, 09 May 2017 15:59 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72C8512E059 for <radext@ietfa.amsl.com>; Tue, 9 May 2017 08:59:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDsmw1lhtpzT for <radext@ietfa.amsl.com>; Tue, 9 May 2017 08:59:38 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 8E97B126C22 for <radext@ietf.org>; Tue, 9 May 2017 08:59:38 -0700 (PDT)
Received: from [192.168.20.197] (CPEf4cc552207f0-CM00fc8dce0fa0.cpe.net.cable.rogers.com [99.230.129.191]) by mail.networkradius.com (Postfix) with ESMTPSA id 6685637F for <radext@ietf.org>; Tue, 9 May 2017 15:59:37 +0000 (UTC)
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <BBF30238-4DBC-4793-898B-7DE1BE13ED6C@deployingradius.com>
Date: Tue, 09 May 2017 11:59:35 -0400
To: radext@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/OcSEO0bS914vlXR7-BrjZlpu2lI>
Subject: [radext] Question about CoA-Request and Tunnel-Password
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 15:59:40 -0000
I think there's an issue with CoA-Request and Tunnel-Password RFC 5176 Section 2.3 says: Request Authenticator In Request packets, the Authenticator value is a 16-octet MD5 [RFC1321] checksum, called the Request Authenticator. The Request Authenticator is calculated the same way as for an Accounting-Request, specified in [RFC2866]. Where RFC 2866 Section 3 says: The NAS and RADIUS accounting server share a secret. The Request Authenticator field in Accounting-Request packets contains a one- way MD5 hash calculated over a stream of octets consisting of the Code + Identifier + Length + 16 zero octets + request attributes + shared secret (where + indicates concatenation). The 16 octet MD5 hash value is stored in the Authenticator field of the Accounting-Request packet. This means that for CoA-Request packets, all attribute obfuscation is calculated with the Reply Authenticator being all zeroes. RFC 5176 Section 3.6 allows for Tunnel-Password in CoA-Request packets: ... Change-of-Authorization Messages Request ACK NAK # Attribute ... 0+ 0 0 69 Tunnel-Password (Note 5) ... (Note 5) When included within a CoA-Request, these attributes represent an authorization change request. Where tunnel attributes are included within a successful CoA-Request, all existing tunnel attributes are removed and replaced by the new attribute(s). However, RFC 2868 Section 3.5 says that Tunnel-Password is encrypted with the Request Authenticator: ... Call the shared secret S, the pseudo-random 128-bit Request Authenticator (from the corresponding Access-Request packet) R, ... The assumption that the Request Authenticator is random data is true for Access-Request packets. It's not true for CoA-Request packets i.e. when the Tunnel-Password attribute is used in CoA-Request packets, the *only* randomness in the encryption is the salt. Again, RFC 2868 Section 3.5 says: Salt The Salt field is two octets in length and is used to ensure the uniqueness of the encryption key used to encrypt each instance of the Tunnel-Password attribute occurring in a given Access-Accept packet. The most significant bit (leftmost) of the Salt field MUST be set (1). The contents of each Salt field in a given Access-Accept packet MUST be unique. Which means that there's only 15 bits of entropy in the Tunnel-Password obfuscation (plus the secret). I don't think this is a serious issue, given that the secret is used to obfuscate the Tunnel-Password. But it can't be a good thing. Since this hasn't been brought up before in RADEXT, I thought I'd make a note. Alan DeKok.
- [radext] Question about CoA-Request and Tunnel-Pa… Alan DeKok
- Re: [radext] Question about CoA-Request and Tunne… Bernard Aboba
- Re: [radext] Question about CoA-Request and Tunne… Alan DeKok
- Re: [radext] Question about CoA-Request and Tunne… David B. Nelson
- Re: [radext] Question about CoA-Request and Tunne… Alan DeKok