IETF Logo Mail Archive

Re: [radext] Server identity and RFC7585bis

Alan DeKok <aland@deployingradius.com> Fri, 12 April 2024 14:08 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8765C14F68F for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 07:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GN-n24VnD_NE for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 07:08:24 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E1B3C14F5E8 for <radext@ietf.org>; Fri, 12 Apr 2024 07:08:23 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id 0C7531FD; Fri, 12 Apr 2024 14:08:19 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <5b5d0dc0-a81a-415e-ac01-de8b365a6ea0@dfn.de>
Date: Fri, 12 Apr 2024 10:08:18 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <548E18B4-77BB-4658-B17D-56212F324436@deployingradius.com>
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <10347.1712778967@obiwan.sandelman.ca> <7D282A57-B68E-43DA-A6A2-7E14A8C09119@deployingradius.com> <5b5d0dc0-a81a-415e-ac01-de8b365a6ea0@dfn.de>
To: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Tf5q9xzUL68o6UqNe0NHSs0rEaU>
Subject: Re: [radext] Server identity and RFC7585bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 14:08:25 -0000

On Apr 12, 2024, at 4:35 AM, Jan-Frederik Rieckers <rieckers@dfn.de> wrote:
> The purpose of defining a way to check if it is the same server is to make sure that we mark broken servers as down and don't use them in our load-balancing any more.

  I think we have to more clearly separate the concepts of routing from identity.

  An admin running a RADIUS proxy typically can group multiple _routes_ into one _identity_.   That configuration is a statement that a set of destination IP/ports are all the "same" RADIUS server.

  Historically, there is some out of band process by which an admin determines that this set of destination IP/posts are all the "same" server.  That process is largely manual, and is done by having admins communicate with each other.

  RFC 7585 automated that process a little bit.  A particular realm can put a routing statement into DNS.  RADIUS clients or proxies can look up a DNS record for a particular realm, and find route(s) to the RADIUS server.

  We also have issues of what happens when the next hop is another proxy, and not a server which is authoritative for a realm.  Similarly, one system could perhaps be authoritative for multiple realms.  The issues are similar in both cases.

> Nowhere does it say "A server certificate MUST NOT be used in more than one single server"

  I agree that isn't a useful restriction.  It's certainly reasonable to have a "gold" VM, and clone it to multiple RADIUS servers.

  But it's also reasonable to issue multiple _different_ certs which have the same RFC 7585 NAIRealm field.  I interpret that statement as all of those servers are interchangeable.  That all (or any) of them can be used to reach that realm.

> And just because the server presented the same certificate (with maybe multiple SANs) it doesn't mean that all connections to the server are the same.

  I think that's where we disagree, perhaps just on terminology.

  For me, there can be multiple _routes_ to a realm.  The routes can go up or down dynamically.  The routes can use UDP, IPSec, or (D)TLS.  But those routes all terminate at the same _identity_: a server which is authoritative for a realm.

  Those routes are pretty much different by definition.  They can use different transports, IPs, or even just different TLS connections.  Each router or connection has to have its own handling for idle timeouts, lifetimes, etc.

  An administrator can put multiple routes into a "pool" of routes.  When the proxy sends a packet, it selects a particular route, and sends the packet over that route.

  Routes can be added and deleted dynamically.  If the route uses TCP or TLS, one configured route may end up using multiple connections.  And the connections can be added and deleted dynamically.

> If we go down the path with SNI, then I could have a connection that used eduroam-federation.example.com for one connection and openroaming-federation.example.com for another. The certificate may be valid for both DNS names, but the policy is different on the connections.

  I'm not clear what that means.

  I do agree that it's possible to send packets for multiple realms down one connection.  The question for me is how do we determine that this particular system accepts packets for multiple realms.  Historically, that has been done manually by the administrator.

> If we would say "Just compare the certificate" then the client would send OpenRoaming packets to the eduroam federation, or the other way round, depending on which connection was there first.

  I think 

> If we completely ignore the IP/port part, then a client would mark the whole redundancy cluster as down, just because they opened up a connection to one of them and they stopped answering.

  I don't think so.  Each route / connection has to operate independently.  There really isn't another choice.  I think such bad behaviour should be forbidden.

  i.e. when there is pool of routes / connections, the RADIUS client runs liveliness checks _independently_ for each one.  Only when all routes / connections are "down" is the destination realm declared "down".

> And, the other way round, if there were other connection open to other members of the cluster, it would keep trying the broken server in the cluster, because there are still open connections to "this server", so the software can't mark the server as down.

  It should try using the other connections.  They might work.  If they don't work, the proxy will gradually discover that all connections are broken.  And then mark the realm as down.

> We should make sure why we need to identify a client and a server.
> 
> From my perspective, identifying a server has two reasons:
> 1. Make sure that redundancy mechanisms work (as described above)

  RRC 2865 says:

	Retry and fallback algorithms are the topic of current
        research and are not specified in detail in this document.

  Perhaps we need to finally define that, along with load-balancing.

  I'm not sure that this document is the place to do that work.  I would just update this document to say that each connection has to be operated independently of other connections.

> 2. Prevent opening unnecessarily many open connections to a server with dynamic discovery, just because the client is not sure if it's the same, while keeping deployment options open (i.e. different policies hidden behind different Server Names, but with the same certificate)

  If the client is "not sure if it's the same", then we need to describe how the client makes that decision.

  As for the issue of different polices hidden behind different server names, I'm not overly worried about that.  We do this today with proxies in eduroam.  The eduroam proxies may present a certificate, but then forward the packets to different destination realms, each with different policies.  The client has no idea that this is happening.

  The problem for me is determining how to define the routes.  "realm A is at server B".  That mapping should ideally be M-N, not 1-1.

  i..e. one realm can have multiple servers.  One server can handle multiple realms, etc.

  Back to SNI, it's really only useful for RFC 7585: I asked example.com where the RADIUS server is, and it told me it's at this IP.  So when I connect to that IP, it better produce a certificate for example.com.

  I think it's fine for that server to support multiple realms.  It can then present different certs depending on the SNI presented by the client.

  RFC 7585 doesn't provide for that server to accept multiple realms on that connection.  We do need to address that issue.  But "manual admin configuration" has worked until now...

  Alan DeKok.

v2.23.0 | Report a Bug | By Email