IETF Logo Mail Archive

Re: [radext] #148: Review of dynamic-discovery by Jim Schaad

Stefan Winter <stefan.winter@restena.lu> Wed, 03 July 2013 14:07 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2F6F21F9CC0 for <radext@ietfa.amsl.com>; Wed, 3 Jul 2013 07:07:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[AWL=0.164, BAYES_00=-2.599, J_CHICKENPOX_62=0.6, J_CHICKENPOX_64=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxLQRy5rq-Qu for <radext@ietfa.amsl.com>; Wed, 3 Jul 2013 07:07:55 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id CC0C021F8E70 for <radext@ietf.org>; Wed, 3 Jul 2013 07:07:54 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 2B0FA10581 for <radext@ietf.org>; Wed, 3 Jul 2013 16:07:54 +0200 (CEST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 14F6910580 for <radext@ietf.org>; Wed, 3 Jul 2013 16:07:54 +0200 (CEST)
Message-ID: <51D43036.4080900@restena.lu>
Date: Wed, 03 Jul 2013 16:07:50 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: radext@ietf.org
References: <065.a122826c6d7c009295065142646863ee@trac.tools.ietf.org> <080.a349ae9f35fd5ba78c6dfd60a52a8535@trac.tools.ietf.org> <011401ce769a$050f8f30$0f2ead90$@augustcellars.com>
In-Reply-To: <011401ce769a$050f8f30$0f2ead90$@augustcellars.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="----enig2MLGGNPFBMVSDHMNWMMPC"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2013 14:07:55 -0000

Hi,

> I wish I knew enough DNSSEC to say for sure, however this is a good step in
> the right direction.

After more feedback in anothe thread, I've refined the text even more. I
believe we are getting somewhere now :-)

>>  "   The algorithm has a fixed completion time-out of three seconds.
>>     Implementations might be tempted to continue their attempt to resolve
>>     DNS records even after the timeout has passed; a subsequent request
>>     for the same realm might benefit from retrieving the results anyway.
>>     Doing so exposes the server to a Denial-of-Service risk: an attacker
>>     might intentionally craft bogus DNS zones which take a very long time
>>     to reply (e.g. due to a particularly byzantine tree structure, or
>>     artificial delays in responses).  If an attacker generates enough
>>     Access-Requests for a number of such zones, it may deplete server
>>     sockets or other server resources."
> 
> I am not sure that the DOS risk would be significantly larger between a 3
> and a 6 second time out.  It would just require half as many requests.  A
> better way of addressing the specific problem you have shown here would
> involve black-listing of DNS queries and I don't see anything in this text
> or the algorithm which talks about doing black listing of any type.

I've added more text which suggests rate-limiting (but want to leave the
details to implementations).

>>  These were both discussed on the list; DANE is clumsy/not usable in its
>> current state; TLS-PSK is not in scope for this document.
> 
> Great  - please state this in the introduction material

There's actually a better place for this: the S-NAPTR RFC requires me to
wreite a section on "Server Identification and Handshake" anyway.

My current working copy has text to explain why TLS-PSK is bad, suggests
the NAIRealm certificate property (MTI), and has a non-MTI explanation
of what we do in eduroam.

As I thought more about DANE, I think we were actually a bit unfair: the
algorithm discovers a /server/. The identification and handshake
therefore only need to deal with server identification.

It's true that the contacted RADIUS server at some point also has to
make a determination whether it wants to talk to the RADIUS client, but
this doesn't have to be determined on the same grounds as the
server-side identification.

That's actually the same as with NAIRealm: this (MTI!) mechanism only
takes one through the server-side identification, the client auth is
left unspec'ed.

In that light, I think it's fair to add DNSSEC+DANE as one of the
mechanisms. I've added stub text about it; if there is sufficient
interest in the topic then this can be expanded.

I've added a remark that the discovery spec only concerns itself with
the server-side identification.

Greetings,

Stefan Winter

> 
> Jim
> 
>>
>>  Greetings,
>>
>>  Stefan Winter
>>
>> --
>> -------------------------------------+----------------------------------
>> -------------------------------------+---
>>  Reporter:                           |       Owner:  draft-ietf-radext-
>>   stefan.winter@restena.lu           |  dynamic-discovery@tools.ietf.org
>>      Type:  defect                   |      Status:  new
>>  Priority:  major                    |   Milestone:  milestone1
>> Component:  dynamic-discovery        |     Version:  1.0
>>  Severity:  -                        |  Resolution:
>>  Keywords:                           |
>> -------------------------------------+----------------------------------
>> -------------------------------------+---
>>
>> Ticket URL:
>> <http://trac.tools.ietf.org/wg/radext/trac/ticket/148#comment:1>
>> radext <http://tools.ietf.org/radext/>
>>
>> _______________________________________________
>> radext mailing list
>> radext@ietf.org
>> https://www.ietf.org/mailman/listinfo/radext
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

v2.23.0 | Report a Bug | By Email