[radext] Review of draft-ietf-radext-deprecating-radius

Bernard Aboba <bernard.aboba@gmail.com> Fri, 10 November 2023 07:15 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A9BE4C17C88F for <radext@ietfa.amsl.com>; Thu, 9 Nov 2023 23:15:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id wuz3dyARWLCK for <radext@ietfa.amsl.com>; Thu, 9 Nov 2023 23:15:54 -0800 (PST)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CDDEC16F3EC for <radext@ietf.org>; Thu, 9 Nov 2023 23:15:54 -0800 (PST)
Received: by mail-pg1-x52d.google.com with SMTP id 41be03b00d2f7-5ab94fc098cso1324838a12.1 for <radext@ietf.org>; Thu, 09 Nov 2023 23:15:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699600554; x=1700205354; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=BCmTWQof1l6eB4Y7rEZjo+Nr46BAQ30Bd1lXObAb7qM=; b=geOVHG4h5rnuEEyPBefwuFonIw9Ml0g4s9LaGumsbwOiSzUAXSNv1g8COTaZti/mQb EH01anVtfbvsE28MSSm5CUp4AmADBi8wD6V4QT9SglqESPJ/8QTVz+kQ/vFw1RELGT84 jZaV5atT6mpx3Q80H08EXMc7z9yFHuaeODtLmtp+pohM6BF+YOmPWcKIto2L1yFUr+9K 5gG0oWD9WSAvjJoW/lG4c4UlHtlDD0j2uzZTkoPLLT+hhyCyhsqtyY2EvtOEFqGBKC1Q y2qbuJwRrI+DLhNswbTULIm7eCfwAyDslNmzQo7yRd6g7edWveF1/yGXFDdT+gpLqplB x42Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699600554; x=1700205354; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=BCmTWQof1l6eB4Y7rEZjo+Nr46BAQ30Bd1lXObAb7qM=; b=RFKpg4CiaColajbxHe22iLRCHmr+B+wP6nepQVBNec77eiCYHuXRm1D7dfjwCQ89hd N9e6KjUQDCwFLTPUC+8OrBZLcZsn/SKikMA0v11T4Mpz3i9G5r/eGO16ZGFfrFU2l6RO Je6oXZRg3x82kXMInjxrrVOe10NGdDHgyrAjKh9g1cdxt1uAgOMj1d9iA6dRKGdl/RKk 8wjLKbXneLobY4MG2y4WFxdM690MWg2VDNJqrm36mi/rPa9WpFQLU0E+LdNcc6uF6NFh G2pSfjGKtiEfUtb4+53iUCRrconHqX7PJswqlkjVcFOT7a5NpvIFLtaX2ICCvr9EbJE2 b8Lw==
X-Gm-Message-State: AOJu0YykUtL3vSuQn9hNrs4k9C6IwPTqr7thvleLrMRMvv9Kc424PQqN U1cZxIkZ58T4+l1qQ2VMh53KeTPMz1MuxxHffBraV2YaDMix7A==
X-Google-Smtp-Source: AGHT+IFDJM/ZeZ7BWueETojUkmAS5H6+bdxnd6DjxdK4cp9W9jR804EAXSMNpxvcrvdCj+XJVlS8CCKpdtu6+fhp5wM=
X-Received: by 2002:a17:90b:17c5:b0:281:2634:f81e with SMTP id me5-20020a17090b17c500b002812634f81emr3909685pjb.37.1699600553241; Thu, 09 Nov 2023 23:15:53 -0800 (PST)
MIME-Version: 1.0
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Thu, 09 Nov 2023 23:15:39 -0800
Message-ID: <CAOW+2dvXrx5A0mP=3oDAEQNccd8WY9LeiA6VA7_B6EwY=b6WLQ@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003c71f90609c71728"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/h9saLQk1luj_caz-YaAQJ8nXbjk>
Subject: [radext] Review of draft-ietf-radext-deprecating-radius
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Nov 2023 07:15:58 -0000

It is no longer acceptable for RADIUS to rely on MD5 for security. It is no
longer acceptable to send device or location information in clear text
across the wider INternet. This document therefore deprecates insecure uses
of RADIUS, and mandates the use of secure TLS-based transport layers. We
also discuss related security issues with RADIUS, and give many
recommendations for practices which increase security and privacy.¶

[BA] This statement seems like a good summary. It should be moved earlier
in the document and echo'd in the abstract.

Section 3

"Further, MD5 has been broken for over a decade, as summarized in [RFC6151
<https://www.rfc-editor.org/info/rfc6151>]. For traffic sent across the
Internet, no protocol should depend on MD5 for security. Even if MD5 was
not broken, computers have gotten substantially faster in the past thirty
years. This speed increase makes it possible for the average hobbyist to
perform brute-force attacks to crack even seemingly complex shared secrets.¶

[BA] I would suggest quoting from RFC 6151, rather than using more vague
terms like "broken".  Overall though, RFC 6151 gives more modest advice, so
I think you need to refer to other arguments:

   MD5 is no longer acceptable where collision resistance is required
   such as digital signatures.  It is not urgent to stop using MD5 in
   other ways, such as HMAC-MD5; however, since MD5 must not be used for
   digital signatures, new protocol designs should not employ HMAC-MD5.
   Alternatives to HMAC-MD5 include HMAC-SHA256 [HMAC] [HMAC-SHA256] and
   [AES-CMAC] when AES is more readily available than a hash function.

Section 3.1

There are clear privacy and security information with sending user
identifiers, and user locations [RFC5580
<https://www.rfc-editor.org/info/rfc5580>] in clear-text across the
Internet. As such, the use of clear-text protocols across insecure networks
is no longer acceptable.

[BA] Maybe you can cite some other documents (e.g. IAB privacy guidance) to
justify the last sentence? Certainly, leaking 15-meter accurate location
seems like a very bad idea...¶

Section 3.2

"Attacks on MD5 are summarized in part in [RFC6151
<https://www.rfc-editor.org/info/rfc6151>]. While there have not been many
new attacks in the decade since [RFC6151
<https://www.rfc-editor.org/info/rfc6151>] was published, that does not
mean that further attacks do not exist. It is more likely that no one is
looking for new attacks.¶

It is reasonable to expect that new research can further break MD5, but
also that such research may not be publicly available."

[BA] I'd probably ask SECDIR to review this section if you are going to
make recommendations beyond those made in RFC 6151.

Section 3.3

I might put this section earlier, since it seems to be the most significant
vulnerability that has advanced since publication of RFC 6421 and 6151.

Section 4

"In conclusion, if a User-Password, or CHAP-Password, or MS-CHAP password
has been sent over the Internet via RADIUS/UDP or RADIUS/TCP in the last
decade, you should assume that underlying password has been compromised.¶

[BA] I think you need to clarify that this paragraph refers to RADIUS
attributes, not to TLS-protected transport in EAP-TTLS.

Section 5.1

"RADIUS/UDP and RADIUS/TCP MUST NOT be used outside of secure networks. A
secure network is one which is known to be safe from eavesdroppers,
attackers, etc."

[BA] What network is known to be safe in this way? RFC 1985 Section 6 makes
it clear that endpoints should not depend on such claims:

   "6.2 It is highly desirable that Internet carriers protect the privacy
   and authenticity of all traffic, but this is not a requirement of the
   architecture.  Confidentiality and authentication are the
   responsibility of end users and must be implemented in the protocols
   used by the end users. Endpoints should not depend on the
   confidentiality or integrity of the carriers. Carriers may choose to
   provide some level of protection, but this is secondary to the
   primary responsibility of the end users to protect themselves."

Section 6

"Our best guess is that at the time of this writing, there could be in the
order of hundreds of thousands, if not millions of RADIUS/UDP devices in
daily use.¶

[BA] The access point market is multiple billion $ today and growing at a
healthy rate. Since virtually every access point sold supports RADIUS and
every enterprise AP uses RADIUS, we can definitely say that there are
millions of legacy RADIUS-enabled devices.

Section 7.3

"Some organizations may desire to increase the security of their network by
using alternate authentication methods such as CHAP or MS-CHAP, instead of
PAP. These attempts are largely misguided. If simple password-based methods
must be used, in almost all situations, the security of the network as a
whole is increased by using PAP in preference to CHAP or MS-CHAP. The
reason is found through a simple risk analysis, which we explain in more
detail below.¶

[BA] This paragraph talks about "authentication methods" rather than RADIUS
attributes and as such is potentially confusing.  EAP-TTLS carries
CHAP/MS-CHAP/PAP attributes within a TLS tunnel, and so unless EAP-TTLS is
terminated and proxied in the clear, you won't see CHAP/MS-CHAP/PAP
attributes in RADIUS, only within a TLS tunnel. The same is true of PEAP
with EAP-MSCHAPv2.

"It is therefore RECOMMENDED that administrators use PAP in preference to

[BA] I think you need to distinguish the usage of PAP/CHAP/MS-CHAP in
EAP-TTLS (where the RADIUS attributes can appear when "naked proxies" are
used) and uses in other EAP methods where those RADIUS attributes aren't

Section 7.4

This section relates to EAP, not to the use of RADIUS attributes, so it is
somewhat confusing.  IMHO, it would make more sense to discuss the
situations in which you will see PAP/CHAP/MS-CHAP attributes on the wire so
that people can avoid them.

Section 7.5

"it is RECOMMENDED to use EAP instead of PAP, CHAP, or MS-CHAP. If
passwords are used, they can be can be protected via TLS-based EAP methods
such as EAP-TTLS or PEAP."

[BA] The first sentence is good advice, and probably should be moved
earlier in the document, since it motivates discussion of vulnerabilities
in the CHAP/PAP/MS-CHAP RADIUS attributes.

The second sentence is problematic, since EAP-TTLS if terminated on a
"naked proxy" will send PAP/CHAP/MS-CHAP attributes in the clear, exactly
the problem you're trying to avoid.

Comments on other text

"While MD5 has been broken, it is a testament to the design of RADIUS that
there have been (as yet) no attacks on RADIUS Authenticator signatures
which are stronger than brute-force."¶

[BA] RFC 6151 seems to suggest attacks stronger than brute force, no?
Overall, I'd suggest that this sentence be deleted. The use of the term
"broken" needs additional clarification, perhaps via quotes from RFC 6151.
The paragraph that follows provides additional detail, but as it stands it
isn't clear that this sentence is referring to those considerations, or
some of the weaknesses described in RFC 6151 or other documents.

RFC 6421 Section 3 details the known weaknesses as of 2011, and provides
references. You refer to it early on, so the reader is expecting an update
on newer weaknesses and threats. Have there been advances in MD5 collisions
and cryptographic weaknesses beyond those described in RFC 6421?

RFC 3579 describes attacks on MD5 stream ciphers that are stronger than
brute-force, such as repeating nonces, known plaintext attacks, etc.

"However, the problems with MD5 means that if a someone can view
unencrypted RADIUS traffic, even a hobbyist attacker can crack all possible
RADIUS shared secrets of eight characters or less. Such attacks can also
result in compromise of all passwords carried in the User-Password

[BA] I think you need to clarify what "view unencrypted RADIUS traffic"
means. Are you referring to a RADIUS packet not protected by (D)TLS?  Or
are you referring to a conventional RADIUS packet without protected

"Even if a stronger packet signature method was used as in [RFC6218
<https://www.rfc-editor.org/info/rfc6218>], it would not fully address the
issues with RADIUS. Most information in RADIUS is sent in clear-text, and
only a few attributes are hidden via obfuscation methods which rely on more
"ad hoc" MD5 constructions. The privacy implications of this openness are

[BA] The term "signature" with RADIUS doesn't seem quite right, since there
is no public cryptography involved, just a hash, right?  Can you be more
specific which "issues with RADIUS" are being referred to here?  The
protocol has so many vulnerabilities, I wasn't sure whether you were
referring to attacks on the RADIUS shared secret, the inadequacy of the MD5
stream cipher, potential issues with collissions or some other inadequacy.

"When RADIUS/UDP is used across the public Internet, the location of
individuals can potentially be tracked in real-time (usually 10 minute
intervals), to within 15 meters. Their devices can be identified, and

[BA] I think you want to specifically state the access mechanisms that
permit 15-meter accuracy (e.g. WiFi) and the role of Wifi MAC address to
location lookups that made this kind of realtime tracking possible. The
accuracy was is course much worse for dialup or VPNs.

"Any passwords they send via the User-Password attribute can be be
compromised. Even using CHAP-Password offers minimal protection, as the
cost of cracking the underlying password is similar to the cost of cracking
the shared secret."

[BA] "be be" -> "be"

"MS-CHAP ([RFC2433 <https://www.rfc-editor.org/info/rfc2433>] and [RFC2759
<https://www.rfc-editor.org/info/rfc2759>]) is significantly worse for
security, as it can be trivially cracked with minimal resources even if the
shared secret is not known (Section 7.4

[BA] A bit more detail might help here. MS-CHAP attributes were deprecated
with the advent of PEAP/EAP-MSCHAPv2, so they typically will only be
encountered in legacy dialup networking or when EAP-TTLS is proxied.
EAP-TTLS proxying can send CHAP, MS-CHAP and even PAP attributes in the
clear, which creates some unique problems.

"For example, some authentication methods such EAP-TLS, EAP-TTLS, etc.
allow for User-Name privacy and for more secure transport of passwords via
the use of TLS."

[BA] Given the previous concerns about CHAP, MS-CHAP, etc. it seems odd not
to cover the extra vulnerabilities introduced by EAP-TTLS proxying, which
opens up security vulnerabilities that do not exist with other TLS-based
EAP methods. Without that additional coverage the statement is somewhat

"And even when TLS-based EAP methods are used, implementations have
historically often skipped certificate validation, leading to password
compromise ([SPOOFING
<https://networkradius.com/articles/2021/08/04/wifi-spoofing.html>]). In
many cases, users were not even aware that the server certificate was
incorrect or spoofed, which meant that there was no way for the user to
detect that anything was wrong. Their passwords were simply handed to a
spoofed server, with little possibility for the user to take any action to
stop it."¶

[BA] Reading this paragraph lead me to wonder whether the problems with
skipped certificate validation will also become common with RADIUS over
(D)TLS. Or is there reason to believe that this problem will become less
common with secure RADIUS?