IETF Logo Mail Archive

Re: [radext] Secure COA

Sam Hartman <hartmans@painless-security.com> Tue, 24 March 2015 15:44 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDB551A8935 for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 08:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFrDQl76J9SP for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 08:44:06 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F5D21A8948 for <radext@ietf.org>; Tue, 24 Mar 2015 08:44:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 737782067A; Tue, 24 Mar 2015 11:42:26 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MG5qoEGjs8LU; Tue, 24 Mar 2015 11:42:26 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 24 Mar 2015 11:42:26 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 22D3A8720D; Tue, 24 Mar 2015 11:44:04 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alan DeKok <aland@deployingradius.com>
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com> <alpine.WNT.2.20.1.1503221518060.3600@SMURF> <2DB68EA1-97A6-4263-9E7F-9BD24B567C7A@deployingradius.com> <alpine.WNT.2.20.1.1503221852040.3600@SMURF> <5FA970CC-2E05-4EFC-8AE6-840D334B28E4@deployingradius.com> <alpine.WNT.2.20.1.1503230923000.3600@SMURF> <1A6EF1EA-3412-4AAA-9646-3FD18EC0C4E4@deployingradius.com> <tsl4mpbb8r6.fsf@mit.edu> <6C5BFB5E-133B-4D3A-AB80-81D1C0F9AE38@deployingradius.com> <tsllhim8mqo.fsf_-_@mit.edu> <32EBB4F3-56D8-434B-83CD-9CD570A62F18@deployingradius.com>
Date: Tue, 24 Mar 2015 11:44:04 -0400
In-Reply-To: <32EBB4F3-56D8-434B-83CD-9CD570A62F18@deployingradius.com> (Alan DeKok's message of "Tue, 24 Mar 2015 05:42:07 -1000")
Message-ID: <tsl619q8kor.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/XUoxvkxI5cUhShxaIDvXE2NGY4Q>
Cc: radext@ietf.org, Peter Deacon <peterd@iea-software.com>
Subject: Re: [radext] Secure COA
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 15:44:10 -0000

What you say here makes sense too.
>>>>> "Alan" == Alan DeKok <aland@deployingradius.com> writes:

    Alan>   To back up a bit, most of the forgery problem can be avoided
    Alan> by noting that the Operator-NAS-Identifier is itself a unique
    Alan> key.  If the visited realm creates many values for the
    Alan> attribute, then guessing correct values is hard, and forgery
    Alan> is trivially detectable.

    Alan>   i.e. if each user session has a different
    Alan> Operator-NAS-Identifier, then a home server can forge a CoA
    Alan> packet, but it will get detected by the visited realm as a
    Alan> forgery.  The proxies need to do nothing.

    Alan>   The visited realm could simply track user sessions in a
    Alan> database (as they mostly do now), and create unique
    Alan> Operator-NAS-Identifiers for each user.  When receiving a CoA
    Alan> request, look up the identifier in a DB, and get the IP of the
    Alan> NAS from there.  Or, the visited realm could be stateless, and
    Alan> encrypt the real NAS IP address with a combination of a secret
    Alan> local key, and the destination realm.  This makes a unique
    Alan> (and secret) identifier for each realm, and for each NAS in
    Alan> the visited realm.

v2.23.0 | Report a Bug | By Email