IETF Logo Mail Archive

Re: [radext] Extended IDs

Alan DeKok <aland@deployingradius.com> Fri, 01 December 2017 16:39 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C241712940B for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 08:39:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryccUzRV6_a0 for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 08:39:56 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id C1518128A32 for <radext@ietf.org>; Fri, 1 Dec 2017 08:39:56 -0800 (PST)
Received: from [192.168.20.53] (CPEf4cc55220745-CM64777ddff610.cpe.net.cable.rogers.com [99.248.225.186]) by mail.networkradius.com (Postfix) with ESMTPSA id C303A4D9; Fri, 1 Dec 2017 16:39:55 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <8DE62B3C-D2FA-4467-9CCE-7F8D039B87E2@cisco.com>
Date: Fri, 01 Dec 2017 11:39:54 -0500
Cc: "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8D51B0BA-8F24-437D-B841-7F796F1174CF@deployingradius.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <8BD2C2F2-D42E-4B84-8F86-3A803160DD74@cisco.com> <b6ed7a87de434ea4a39f584a92e933b9@XCH-ALN-014.cisco.com> <285C5C94-578E-4293-81A2-9D73E1105ABE@deployingradius.com> <8DE62B3C-D2FA-4467-9CCE-7F8D039B87E2@cisco.com>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/h5_byQIGRcOLR_Pw8iAphG-qtJc>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 16:39:59 -0000

On Dec 1, 2017, at 11:15 AM, Jakob Heitz (jheitz) <jheitz@cisco.com> wrote:
> 
> What if the quantum computers turn out to live up to their promises? Then we can throw out all this authentication stuff and decide to not share our Ethernets with the attackers instead. No more request authenticator.

  I'm sorry, but that just isn't realistic.

  If quantum computers can crack encryption, then RADIUS security will be the least of our issues.

> The request authenticator is already overloaded. It may be used for the CHAP challenge. Now, you want another overload?

  I'd like to use an existing field, yes.

  The draft explains why this works.  In detail.

> The request authenticator is not reflected back in any return packets. The response authenticator is a different number. Suppose the client has several requests outstanding with the same id. When it receives a response, it has to hash it with every request authenticator from these outstanding requests to figure out which one the response is for.

  Please don't claim there are problems with the draft until you read it.

  The draft EXPLICITLY STATES that the request authenticator is echoed back in a new attribute.  It has many, many, pages to discuss all possible issues with that practice.

> Conflicting requests: if the server receives a request identical to one it received before and has a cached response, then retransmit the cache, else process it again. How to determine “identical request” is a local matter.

  Those are duplicate requests.  They were defined 10 years ago in RFC 5080, Section 2.2.2, including how to determine what a "duplicate request" is.

 https://tools.ietf.org/html/rfc5080#section-2.2.2

  RFC 5080 also defines what RADIUS servers should do with these requests.  My comment was about *conflicts*.

  i.e. a RADIUS server receives an Access-Request from a client (src/dst, IP/port, ID 0, request authenticator A).  While the server is processing that packet, the client (for whatever reason) sends a *different* packet with the same src/dst IP/port.  ID 0, but a *different* request authenticator.

  Should be server respond to the first packet?  Or should the server respond to the second packet?  Or should it respond to both?

  Again... this issue is discussed in detail in my draft.

> Comparing ID alone is clearly not enough. Comparing anything less than the whole request packet risks misidentified duplicates.

  That simply isn't true.

  Again, please read the draft.  This is discussed in excruciating detail.  Including the possibility of false positives, false negatives, etc.

> If the short cut misleads, then don’t take the short cut.

  I think the only short cut here is the decision to skip reading the draft before commenting on it.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email