IETF Logo Mail Archive

Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04

Peter Deacon <peterd@iea-software.com> Mon, 08 April 2013 15:20 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5EF21F944B for <radext@ietfa.amsl.com>; Mon, 8 Apr 2013 08:20:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.543
X-Spam-Level:
X-Spam-Status: No, score=-2.543 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-EkiXThZKTa for <radext@ietfa.amsl.com>; Mon, 8 Apr 2013 08:20:53 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id 6A85B21F9385 for <radext@ietf.org>; Mon, 8 Apr 2013 08:20:53 -0700 (PDT)
Received: from littlesmurf (unverified [10.0.1.16]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005878583@aspen.internal.iea-software.com>; Mon, 8 Apr 2013 08:20:52 -0700
Date: Mon, 08 Apr 2013 08:20:53 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <5162C651.2000200@deployingradius.com>
Message-ID: <alpine.WNT.2.00.1304080801440.1952@littlesmurf>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <tslli8xnoms.fsf@mit.edu> <515ED047.3040200@deployingradius.com> <alpine.WNT.2.00.1304051020120.3988@SMURF> <5160255B.40409@deployingradius.com> <alpine.WNT.2.00.1304060913320.3988@SMURF> <5160B785.8070703@deployingradius.com> <tslppy5i2dm.fsf@mit.edu> <5162C651.2000200@deployingradius.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: Sam Hartman <hartmans@painless-security.com>, radext@ietf.org
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 15:20:54 -0000

On Mon, 8 Apr 2013, Alan DeKok wrote:

> Sam Hartman wrote:
>> Can you point to the documentation of the hard requirement for
>> server-side memory in upgrade?
>> I'd like to understand how we got there and the discussions/arguments
>> leading to that.

>  Down-bidding attacks.

A bidding down attack requires client or server to be tricked into 
accepting security lower than highest supported by both peers.  See the 
table in my previous message.

>  Once a client upgrades to DTLS, allowing plain UDP is a down-bidding
> attack.

To be an attack the attack must be successful. With RADIUS/DTLS draft 
there is no negotiation protocol to attack.  Either the nonnegotiable 
demands of both sides are met or it fails.

A client configured to only emit RADIUS/DTLS requests cannot be tricked 
into falling back to a less secure RADIUS/UDP.


Likewise a server willing to accept RADIUS/UDP and RADIUS/DTLS cannot be 
tricked into accepting RADIUS/UDP as RADIUS/UDP has been configured to be 
acceptable to the server.

A server willing to accept only RADIUS/DTLS cannot be tricked into 
accepting RADIUS/UDP.  This is a setting on the server rather than 
negotiation parameter able to be attacked from the protocol.

regards,
Peter

v2.39.1 | Report a Bug | By Email | System Status