Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery

[Stefan Winter <stefan.winter@restena.lu>]

Hi,

>   It may also be good to add a "Global-Packet-ID".  The idea would be
> that it's a 64-bit or 128-bit opaque token, created by the client.  (Or
> a proxy close to the client).  Other proxies would then never touch it.
> 
>   It could be cached by proxies for a period of time.  If a proxy sees
> the same Global-Packet-ID in two different packets, it knows there's a
> loop or retransmission via an alternate path.

That's another approach, which would also work. There's a very small
probability that two unrelated packets happen to get the same packet-id;
that kind of indeterminism makes me a bit nervous.

Anyway: I'm glad that we're discussing loop detection /at all/. I didn't
get that far in my earlier attempts on the topic :-)

Re the forward/reverse IP:

>   What about the discovered server?  It would be subject to attacks by
> third parties.
> 
>   i.e. realm A lists proxy B as it's server via DDNS.  It then publishes
> an article saying "free net access by using user@realmA".  Everyone
> wanting free net access contacts proxy B.  Repeat for 10,000 domains,
> and Proxy B gets a DoS.
> 
>   This should ideally be discovered *before* a using high-cost
> connection like TLS.  That's why a reverse lookup is useful.
> 
>   Now... this is RADIUS, and there aren't that many RADIUS proxies.  But
> if the DDNS draft makes it easier, there will be more RADIUS proxies,
> and more possibility for such an attack.

That doesn't really help: the forward and reverse IP checks work on the
A/AAAA pair that is the "leaf" of the discovery process. Third parties
adding a NAPTR where they should not will not be detected. If the end
server is actually offering a dynamic discovery endpoint, then it will
be properly configured for its legimiate customers. Having other people
send non-legitimate customers to the same destination as well will not
be detectable with an IP address check.

>> This could be mentioned in Security Considerations, if you find it
>> useful/important to have?
> 
>   Yes.

The fact that DoS becomes possible by illegitimate clients is mentioned
in RFC6614. I take your point that a mere usage of RFC6614 with
hand-configured clients makes the problem less important, because
firewalls could prevent the session establishment.

For a next rev of dynamicdiscovery, I've added the following paragraph
for Security Considerations in my working copy:

   With Dynamic Discovery being enabled for a RADIUS Server, and
   depending on the deployment scenario, the server may need to open up
   its target IP address and port for the entire internet, because
   arbitrary clients may discover it as a target for their
   authentication requests.  If such clients are not part of the roaming
   consortium, the RADIUS/TLS connection setup phase will fail (which is
   intended) but the computational cost for the connection attempt is
   significant.  With the port for a TLS-based service open, the RADIUS
   server shares all the typical attack vectors for services based on
   TLS (such as HTTPS, SMTPS, ...).  Deployments of RADIUS/TLS with
   Dynamic Discovery should consider these attack vectors and take
   appropriate counter-measures (e.g. blacklisting known-bad IPs on a
   firewall, rate-limiting new connection attempts, etc.).

Is that okay for you?

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473