IETF Logo Mail Archive

Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery

Alan DeKok <aland@deployingradius.com> Wed, 24 July 2013 13:30 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A53811E80FD for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 06:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AXfa6efWFpnT for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 06:30:16 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2DB0F21F9FDE for <radext@ietf.org>; Wed, 24 Jul 2013 06:30:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 6450122400C8; Wed, 24 Jul 2013 15:29:17 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jh193Pn22geO; Wed, 24 Jul 2013 15:29:17 +0200 (CEST)
Received: from Thor-2.local (unknown [67.71.147.228]) by power.freeradius.org (Postfix) with ESMTPSA id BF958224009D; Wed, 24 Jul 2013 15:29:16 +0200 (CEST)
Message-ID: <51EFD6AD.9020006@deployingradius.com>
Date: Wed, 24 Jul 2013 09:29:17 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Stefan Winter <stefan.winter@restena.lu>
References: <88ACDECA21EE5B438CA26316163BC14C25D334A9@BASS.ad.clarku.edu> <51DD5683.3070202@restena.lu> <51DE5730.4080008@deployingradius.com> <51E545A6.6040008@restena.lu> <51E54C2E.80002@deployingradius.com> <51EFA72E.9050507@restena.lu>
In-Reply-To: <51EFA72E.9050507@restena.lu>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: radext@ietf.org
Subject: Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2013 13:30:49 -0000

Stefan Winter wrote:
> That's another approach, which would also work. There's a very small
> probability that two unrelated packets happen to get the same packet-id;
> that kind of indeterminism makes me a bit nervous.

  There's no good solution for global uniqueness.  It can be mitigated
via a 128-bit ID.  That means the probability of two IDs being the same
is one in 2^64, which is rare enough to not really worry about.

> That doesn't really help: the forward and reverse IP checks work on the
> A/AAAA pair that is the "leaf" of the discovery process. Third parties
> adding a NAPTR where they should not will not be detected. If the end
> server is actually offering a dynamic discovery endpoint, then it will
> be properly configured for its legimiate customers. Having other people
> send non-legitimate customers to the same destination as well will not
> be detectable with an IP address check.

  I'm not sure.  Maybe I'm missing something.  If a proxy is about to
send radsec traffic for realm A to IP address B, can't it do a DNS
lookup on IP address B to see if realm A is listed?

> For a next rev of dynamicdiscovery, I've added the following paragraph
> for Security Considerations in my working copy:
> 
>    With Dynamic Discovery being enabled for a RADIUS Server, and
>    depending on the deployment scenario, the server may need to open up
>    its target IP address and port for the entire internet, because
>    arbitrary clients may discover it as a target for their
>    authentication requests.  If such clients are not part of the roaming
>    consortium, the RADIUS/TLS connection setup phase will fail (which is
>    intended) but the computational cost for the connection attempt is
>    significant.  With the port for a TLS-based service open, the RADIUS
>    server shares all the typical attack vectors for services based on
>    TLS (such as HTTPS, SMTPS, ...).  Deployments of RADIUS/TLS with
>    Dynamic Discovery should consider these attack vectors and take
>    appropriate counter-measures (e.g. blacklisting known-bad IPs on a
>    firewall, rate-limiting new connection attempts, etc.).
> 
> Is that okay for you?

  Yes.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email