Re: [radext] Gathering opinions on draft-xue-radext-key-management

Alan DeKok <> Tue, 08 July 2014 02:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DDA211B2A01 for <>; Mon, 7 Jul 2014 19:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Aewx4qHZrQDz for <>; Mon, 7 Jul 2014 19:31:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id EAD0F1B29FB for <>; Mon, 7 Jul 2014 19:31:56 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id C8C122240499; Tue, 8 Jul 2014 04:31:55 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id awJJ7ZibIwuM; Tue, 8 Jul 2014 04:31:51 +0200 (CEST)
Received: from Thor.local (unknown []) by (Postfix) with ESMTPSA id 1B82B224006C; Tue, 8 Jul 2014 04:31:50 +0200 (CEST)
Message-ID: <>
Date: Mon, 07 Jul 2014 22:31:50 -0400
From: Alan DeKok <>
User-Agent: Thunderbird (Macintosh/20100228)
MIME-Version: 1.0
To: Xueli <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [radext] Gathering opinions on draft-xue-radext-key-management
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Jul 2014 02:32:00 -0000

Xueli wrote:
> As you know, we presented the draft-xue-radext-key-management (new version  )
>  Which defines the Radius extensions for key delivery between BNG and AC in some specific scenario.

  I think the general consensus was that this was outside of the scope

> Now the argument is that whether this item is the genuine Radius/RADEXT problem? 

  RADIUS is usually about end-users.  Authenticating them, authorizing
them, and performing accounting for them.  If you want a general purpose
"remote API" protocol, see Diameter.

> Radius packet is proposed to resolve this issue because of following reasons:
> 1 transmit session authorization attributes
> (Key, which is produced during authentication and delivered by Radius from Server to NAS)

  If the key is transmitted between a RADIUS client and server, then the
transmission can be done as part of a normal RADIUS conversation.  If
the key is transmitted somewhere else, then that's a *huge* security
problem.  And it doesn't fit the standard RADIUS model.

> 2 unsolicited messages 
> 3 It is not the issue of Radius, it may be the issue of EAP over Radius..
> At this stage, the authors appreciate your opinions very much for the next step of this draft.
> Can it be solved in RADEXT? If not, which WG could be the place?

  I think this proposal would have a hard time finding traction anywhere
in the IETF.  The security problems with sharing keys are very serious.

  Alan DeKok.