Re: [radext] Gathering opinions on draft-xue-radext-key-management

Bernard Aboba <bernard_aboba@hotmail.com> Tue, 08 July 2014 04:15 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F1771B2A29 for <radext@ietfa.amsl.com>; Mon, 7 Jul 2014 21:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uj7zg5hqbgVE for <radext@ietfa.amsl.com>; Mon, 7 Jul 2014 21:15:34 -0700 (PDT)
Received: from BLU004-OMC1S21.hotmail.com (blu004-omc1s21.hotmail.com [65.55.116.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEBE61B2A25 for <radext@ietf.org>; Mon, 7 Jul 2014 21:15:33 -0700 (PDT)
Received: from BLU406-EAS386 ([65.55.116.9]) by BLU004-OMC1S21.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712); Mon, 7 Jul 2014 21:15:32 -0700
X-TMN: [eh1KTHNneXXECeeg7t3Mi0rSBIxBS/mj]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU406-EAS386A2680F97E72ECDE57CF2930C0@phx.gbl>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
References: <01FE63842C181246BBE4CF183BD159B448FD2EA1@nkgeml504-mbx.china.huawei.com> <53BB5816.90704@deployingradius.com>
From: Bernard Aboba <bernard_aboba@hotmail.com>
MIME-Version: 1.0 (1.0)
In-Reply-To: <53BB5816.90704@deployingradius.com>
Date: Mon, 7 Jul 2014 21:15:28 -0700
To: Alan DeKok <aland@deployingradius.com>
X-OriginalArrivalTime: 08 Jul 2014 04:15:32.0787 (UTC) FILETIME=[42A96030:01CF9A63]
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/TaBMLqTfWXxtb5J0xycWg1bk_yY
Cc: "radext@ietf.org" <radext@ietf.org>, Xueli <xueli@huawei.com>
Subject: Re: [radext] Gathering opinions on draft-xue-radext-key-management
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 04:15:35 -0000

RFC 5247 provides the Key Management model for EAP. It is standards track - and updates are outside the Charter of RADEXT WG.

> On Jul 7, 2014, at 7:32 PM, "Alan DeKok" <aland@deployingradius.com> wrote:
> 
> Xueli wrote:
>> As you know, we presented the draft-xue-radext-key-management (new version http://tools.ietf.org/id/draft-xue-radext-key-management-03.txt  )
>> Which defines the Radius extensions for key delivery between BNG and AC in some specific scenario.
> 
>  I think the general consensus was that this was outside of the scope
> of RADIUS.
> 
>> Now the argument is that whether this item is the genuine Radius/RADEXT problem?
> 
>  RADIUS is usually about end-users.  Authenticating them, authorizing
> them, and performing accounting for them.  If you want a general purpose
> "remote API" protocol, see Diameter.
> 
>> Radius packet is proposed to resolve this issue because of following reasons:
>> 1 transmit session authorization attributes
>> (Key, which is produced during authentication and delivered by Radius from Server to NAS)
> 
>  If the key is transmitted between a RADIUS client and server, then the
> transmission can be done as part of a normal RADIUS conversation.  If
> the key is transmitted somewhere else, then that's a *huge* security
> problem.  And it doesn't fit the standard RADIUS model.
> 
>> 2 unsolicited messages 
>> 3 It is not the issue of Radius, it may be the issue of EAP over Radius..
>> 
>> At this stage, the authors appreciate your opinions very much for the next step of this draft.
>> Can it be solved in RADEXT? If not, which WG could be the place?
> 
>  I think this proposal would have a hard time finding traction anywhere
> in the IETF.  The security problems with sharing keys are very serious.
> 
>  Alan DeKok.
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext