IETF Logo Mail Archive

Re: [radext] Eric Rescorla's No Objection on draft-ietf-radext-coa-proxy-05: (with COMMENT)

Eric Rescorla <ekr@rtfm.com> Wed, 15 August 2018 16:13 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52834130FFF for <radext@ietfa.amsl.com>; Wed, 15 Aug 2018 09:13:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6WB731cFxubY for <radext@ietfa.amsl.com>; Wed, 15 Aug 2018 09:13:27 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 291D6130DC7 for <radext@ietf.org>; Wed, 15 Aug 2018 09:13:27 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id 95-v6so1252254lfy.9 for <radext@ietf.org>; Wed, 15 Aug 2018 09:13:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4qPafgW+wD6MNksu8yUcd87uNTZjB83g2QWGEGXpe3k=; b=PciciDr5UIff5RI3UAgDbHENumvgt+P8nNzeAGHqsxBrKKSmpgxj6EIDYwQFgvprZo fOGWTrst4RoBiXrd+IJt4bDeP6VNDzAk5DKaer4+B9bkJV8GlN6n4JnoxIxhnq7MNheb 4s92oH+Q3t/o3k2feYvo4dA6TKczwSwivgUvxC9Kp+9D/YanlIjTeAuxX/W+PQ8pS68b NhzD0H88dXqU7ogsy23ZPyBiw5BXPOkF05TPZDqnSasKCi9xeULvLib7Ne4avV3l8osd W6ORKBaktnFYQutuCRe0hv4V7vN5MpDxtsOixjeD23LIzWAz7hTbovjewERnutyK0FHz C+/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4qPafgW+wD6MNksu8yUcd87uNTZjB83g2QWGEGXpe3k=; b=NrFOxBYDRn9zcgIf2N0Vyl1q/oUPXg0uxBcDdeH5JOKzq2waMTwjzmdlQy6azKurVU QH6B9d1hGupuXA5DUZtO6AKjKImdA8xv/4gQRuwMeRE8fuhIrEiAiYX4EmatpnRl7tfp 1XIYd3OHYLzYWDaQp3YiMWSu0k67qfMztswFqjXkkBzBD2Gp0ojVUHdyA8yBx2lVekz4 Ti3QijkHezFnEuoPxxp/8JsTE2wDmoT24G2FhumwXjfbPrVb9uE+0+1lKNBUInF1QXzS mN+OlcyHjTQwLM5jigvekx7WP3x5y2I1oqbCrmlq9Qz12haYKsdZqd+cXZw1bshmOYZB ou1Q==
X-Gm-Message-State: AOUpUlHH7C3KKPhetA9Uq4iVosPh9GdxKCahA0djz9biHLp9FxBr71d5 SQ/gI2jd9MHX+XQXG73lTfvwg2BBcvrHPCAoY8sZ9A==
X-Google-Smtp-Source: AA+uWPzdZpXG/B2LpN2CKdpYxjMzEe0oPEuwdxMdmHRUduid/9Bpc7OzOoOEqoNHzmsYIG+pUZXM94Fkuc1sAZoYiGA=
X-Received: by 2002:a19:e307:: with SMTP id a7-v6mr16634703lfh.125.1534349605468; Wed, 15 Aug 2018 09:13:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Wed, 15 Aug 2018 09:12:44 -0700 (PDT)
In-Reply-To: <885EEC1B-966C-4B97-8556-43527C051956@freeradius.org>
References: <153434610726.14442.18102779548524907034.idtracker@ietfa.amsl.com> <885EEC1B-966C-4B97-8556-43527C051956@freeradius.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 15 Aug 2018 09:12:44 -0700
Message-ID: <CABcZeBMc=YbP21C=vy+P-DRvcZfOxgMqeS_snS8JKFPkN90fuA@mail.gmail.com>
To: Alan DeKok <aland@freeradius.org>
Cc: The IESG <iesg@ietf.org>, radext@ietf.org, Winter Stefan <stefan.winter@restena.lu>, radext-chairs@ietf.org, draft-ietf-radext-coa-proxy@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003211c605737b9bb7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/hvoUrgDVB09c972JbSIRa-5oKxM>
Subject: Re: [radext] Eric Rescorla's No Objection on draft-ietf-radext-coa-proxy-05: (with COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2018 16:13:29 -0000

On Wed, Aug 15, 2018 at 8:26 AM, Alan DeKok <aland@freeradius.org> wrote:

> On Aug 15, 2018, at 11:15 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> > I concur with Adam's DISCUSS (but marking no-objection to let him
> > manage this). Specifically, you need to describe what the security
> > expectations are for the Operator-NAS-Identifier. Need it be
> > unguessable? Should separate identifiers that refer to the same NAS be
> > unlinkable? "Cryptographically strong" is not a sufficiently specific
> > term to determine what the requirements are here.
>
>   I've rewritten the problem text in order to (a) avoid these issues, and
> (b) discuss the security implications in more detail.
>
> > COMMENTS
> > S 6.
> >>     issues.
> >>
> >>     The Operator-NAS-Identifier SHOULD be created by the Visited Network
> >>     such that its contents are opaque to all other parties.  This
> ensures
> >>     that anyone observing unencrypted RADIUS traffic gains no
> information
> >>     about the internals of the Visited Network.
> >
> > See above about the requirements here. Does there need to be an
> > unlinkable identifier each time?
>
>   No.
>
>   External parties already know the identity and number of NASes in a
> Visited Network.  The Operator-NAS-Identifier attribute here is opaque
> simply because there is no compelling reason for giving it a public meaning.
>
>   As such, there is no need for integrity checks, replay detection,
> privacy, etc.
>

OK, well, the text needs to say this, because the existing text implies
otherwise.

-Ekr


>   Alan DeKok.
>
>

v2.23.0 | Report a Bug | By Email