Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
Stefan Winter <stefan.winter@restena.lu> Wed, 03 July 2013 14:07 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2F6F21F9CC0 for <radext@ietfa.amsl.com>; Wed, 3 Jul 2013 07:07:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[AWL=0.164, BAYES_00=-2.599, J_CHICKENPOX_62=0.6, J_CHICKENPOX_64=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxLQRy5rq-Qu for <radext@ietfa.amsl.com>; Wed, 3 Jul 2013 07:07:55 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id CC0C021F8E70 for <radext@ietf.org>; Wed, 3 Jul 2013 07:07:54 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 2B0FA10581 for <radext@ietf.org>; Wed, 3 Jul 2013 16:07:54 +0200 (CEST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 14F6910580 for <radext@ietf.org>; Wed, 3 Jul 2013 16:07:54 +0200 (CEST)
Message-ID: <51D43036.4080900@restena.lu>
Date: Wed, 03 Jul 2013 16:07:50 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: radext@ietf.org
References: <065.a122826c6d7c009295065142646863ee@trac.tools.ietf.org> <080.a349ae9f35fd5ba78c6dfd60a52a8535@trac.tools.ietf.org> <011401ce769a$050f8f30$0f2ead90$@augustcellars.com>
In-Reply-To: <011401ce769a$050f8f30$0f2ead90$@augustcellars.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="----enig2MLGGNPFBMVSDHMNWMMPC"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2013 14:07:55 -0000
Hi, > I wish I knew enough DNSSEC to say for sure, however this is a good step in > the right direction. After more feedback in anothe thread, I've refined the text even more. I believe we are getting somewhere now :-) >> " The algorithm has a fixed completion time-out of three seconds. >> Implementations might be tempted to continue their attempt to resolve >> DNS records even after the timeout has passed; a subsequent request >> for the same realm might benefit from retrieving the results anyway. >> Doing so exposes the server to a Denial-of-Service risk: an attacker >> might intentionally craft bogus DNS zones which take a very long time >> to reply (e.g. due to a particularly byzantine tree structure, or >> artificial delays in responses). If an attacker generates enough >> Access-Requests for a number of such zones, it may deplete server >> sockets or other server resources." > > I am not sure that the DOS risk would be significantly larger between a 3 > and a 6 second time out. It would just require half as many requests. A > better way of addressing the specific problem you have shown here would > involve black-listing of DNS queries and I don't see anything in this text > or the algorithm which talks about doing black listing of any type. I've added more text which suggests rate-limiting (but want to leave the details to implementations). >> These were both discussed on the list; DANE is clumsy/not usable in its >> current state; TLS-PSK is not in scope for this document. > > Great - please state this in the introduction material There's actually a better place for this: the S-NAPTR RFC requires me to wreite a section on "Server Identification and Handshake" anyway. My current working copy has text to explain why TLS-PSK is bad, suggests the NAIRealm certificate property (MTI), and has a non-MTI explanation of what we do in eduroam. As I thought more about DANE, I think we were actually a bit unfair: the algorithm discovers a /server/. The identification and handshake therefore only need to deal with server identification. It's true that the contacted RADIUS server at some point also has to make a determination whether it wants to talk to the RADIUS client, but this doesn't have to be determined on the same grounds as the server-side identification. That's actually the same as with NAIRealm: this (MTI!) mechanism only takes one through the server-side identification, the client auth is left unspec'ed. In that light, I think it's fair to add DNSSEC+DANE as one of the mechanisms. I've added stub text about it; if there is sufficient interest in the topic then this can be expanded. I've added a remark that the discovery spec only concerns itself with the server-side identification. Greetings, Stefan Winter > > Jim > >> >> Greetings, >> >> Stefan Winter >> >> -- >> -------------------------------------+---------------------------------- >> -------------------------------------+--- >> Reporter: | Owner: draft-ietf-radext- >> stefan.winter@restena.lu | dynamic-discovery@tools.ietf.org >> Type: defect | Status: new >> Priority: major | Milestone: milestone1 >> Component: dynamic-discovery | Version: 1.0 >> Severity: - | Resolution: >> Keywords: | >> -------------------------------------+---------------------------------- >> -------------------------------------+--- >> >> Ticket URL: >> <http://trac.tools.ietf.org/wg/radext/trac/ticket/148#comment:1> >> radext <http://tools.ietf.org/radext/> >> >> _______________________________________________ >> radext mailing list >> radext@ietf.org >> https://www.ietf.org/mailman/listinfo/radext > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
- [radext] #148: Review of dynamic-discovery by Jim… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jouni Korhonen
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker