IETF Logo Mail Archive

Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery

Alan DeKok <aland@deployingradius.com> Thu, 25 July 2013 00:59 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA92321F99CE for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 17:59:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVGJ63jxlpOU for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 17:58:58 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0932C21F99D2 for <radext@ietf.org>; Wed, 24 Jul 2013 17:58:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id D562822400C8; Thu, 25 Jul 2013 02:57:56 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R1GgSLThqbE0; Thu, 25 Jul 2013 02:57:56 +0200 (CEST)
Received: from Thor-2.local (unknown [67.71.147.228]) by power.freeradius.org (Postfix) with ESMTPSA id 53621224009D; Thu, 25 Jul 2013 02:57:56 +0200 (CEST)
Message-ID: <51F07814.5030200@deployingradius.com>
Date: Wed, 24 Jul 2013 20:57:56 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Sam Hartman <hartmans@painless-security.com>, "radext@ietf.org" <radext@ietf.org>
References: <88ACDECA21EE5B438CA26316163BC14C25D334A9@BASS.ad.clarku.edu> <51DD5683.3070202@restena.lu> <51DE5730.4080008@deployingradius.com> <51E545A6.6040008@restena.lu> <51E54C2E.80002@deployingradius.com> <51EFA72E.9050507@restena.lu> <51EFD6AD.9020006@deployingradius.com> <51EFE930.9040903@restena.lu> <tslvc3zor9z.fsf@mit.edu>
In-Reply-To: <tslvc3zor9z.fsf@mit.edu>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2013 00:59:04 -0000

Sam Hartman wrote:
> We cannot be planning to have security of RADIUS over TLS devolve to an
> IP ACL check.

  It won't.  Maybe I'm missing something.

  I just want to ensure that we have a *simple* way to check if an IP
address can accept requests for a realm.  If the answer is "no", then
TLS shouldn't start.  If the answer is "yes", then TLS starts, with all
of the security mandated by TLS.

  i.e. It's a low-cost additional check before TLS.  I never proposed it
*replace* TLS.

  I'm worried about administrators mis-configuring realms.  "Hey,
company X says that server Y is a RADIUS proxy.  We'll list it for our
realm Z!"

  And then all of the traffic for these idiots goes to server Y.  No one
figures out this is wrong until after the TLS handshake.  Which can give
a DoS attack on server Y.

  A *simple* double-check can help prevent this.  The proxies get told
to go to server Y.  So they ask it.  "Do you handle realm Z"?  When the
answer is "no", they know to go bug realm Z to fix their business
relationships.  They DON'T bug server Y with useless requests.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email