Re: [radext] Proposed new charter text
Stefan Winter <stefan.winter@restena.lu> Tue, 24 March 2015 07:20 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA7611B2CB8 for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 00:20:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3TDmfCJAB7w for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 00:20:49 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [158.64.1.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74DE21B2CB7 for <radext@ietf.org>; Tue, 24 Mar 2015 00:20:49 -0700 (PDT)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id A921E40BFE for <radext@ietf.org>; Tue, 24 Mar 2015 08:20:47 +0100 (CET)
Message-ID: <5511104F.2030006@restena.lu>
Date: Tue, 24 Mar 2015 08:20:47 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: radext@ietf.org
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com> <alpine.WNT.2.20.1.1503221518060.3600@SMURF> <2DB68EA1-97A6-4263-9E7F-9BD24B567C7A@deployingradius.com> <alpine.WNT.2.20.1.1503221852040.3600@SMURF> <5FA970CC-2E05-4EFC-8AE6-840D334B28E4@deployingradius.com> <alpine.WNT.2.20.1.1503230923000.3600@SMURF> <1A6EF1EA-3412-4AAA-9646-3FD18EC0C4E4@deployingradius.com> <tsl4mpbb8r6.fsf@mit.edu>
In-Reply-To: <tsl4mpbb8r6.fsf@mit.edu>
OpenPGP: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="CVLSawr1iwahAbuX5xN4ruLRI32FNk38F"
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/a7dJuMlBd5CcAdrrWfvfYYEQ_Lw>
Subject: Re: [radext] Proposed new charter text
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 07:20:52 -0000
Hello, thanks Alan, Peter and Sam for taking the discussion to this point. You have collectively revealed the issue that was causing the confusion; and it leads to a need to tweak the charter IMHO: Either the document needs to consider safeguards against "generous disconnects" in other domains - I understand from the discussion that this is a very hard problem - or the document can't be standards track and needs a big warning that such generous disconnects are a security problem in this draft. I understand that this problem has always been there; it's not new in this draft but a problem of RFC5176 itself - it is only exacerbated now because proxying was previously totally undefined (making sending malign DM/CoA packets a private workflow and hard) and now becomes mostly defined and thus more easily exploitable. The latter solution, off of standards track, is easier: the target track and milestone info for the document could be changed towards Informational (matching RFC5176 itself) and the WG would during the normal WG workflow suggest appropriate warning text for the draft. I like that way out, if everyone else can live with it. I'd appreciate comments from the working group on that topic, particularly from the three of you of course :-) Greetings, Stefan Winter On 24.03.2015 00:21, Sam Hartman wrote: >>>>>> "Alan" == Alan DeKok <aland@deployingradius.com> writes: > > > Alan> i.e. what you’re saying is that there is a requirement for > Alan> home server A to NOT be allowed to disconnect users for home > Alan> server B in a visited network. That is a *new* requirement, > Alan> which doesn’t negate my comments above. > > Alan> I want to solve one problem at a time. Operator-Name and > Alan> Operator-NAS-Identifier are sufficient to get the packet to > Alan> the visited NAS. Your earlier comments seemed to say that > Alan> they were NOT sufficient, which is what was unclear. > > > I think solving this requirement would be necessary for moving COA to > the standards track or removing the health warning in 5176. > > I'm fine not solving that problem provided that we have a fairly serious > health warning on this draft. > For this and other reasons COA massively fails to meet our current > security expectations for standards track. > > --Sam > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Secure COA Alan DeKok
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Proposed new charter text Peter Deacon
- [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Stefan Winter