IETF Logo Mail Archive

Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery

Alan DeKok <aland@deployingradius.com> Tue, 16 July 2013 13:36 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 206C211E80F6 for <radext@ietfa.amsl.com>; Tue, 16 Jul 2013 06:36:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzGqO6KXQ2VV for <radext@ietfa.amsl.com>; Tue, 16 Jul 2013 06:36:41 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 02E6221E80B1 for <radext@ietf.org>; Tue, 16 Jul 2013 06:36:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id EB036224012A; Tue, 16 Jul 2013 15:35:41 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OpCo6XunBi9c; Tue, 16 Jul 2013 15:35:41 +0200 (CEST)
Received: from pc24.home (AAnnecy-157-1-115-178.w90-9.abo.wanadoo.fr [90.9.58.178]) by power.freeradius.org (Postfix) with ESMTPSA id 8497F22400DD; Tue, 16 Jul 2013 15:35:41 +0200 (CEST)
Message-ID: <51E54C2E.80002@deployingradius.com>
Date: Tue, 16 Jul 2013 15:35:42 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Stefan Winter <stefan.winter@restena.lu>
References: <88ACDECA21EE5B438CA26316163BC14C25D334A9@BASS.ad.clarku.edu> <51DD5683.3070202@restena.lu> <51DE5730.4080008@deployingradius.com> <51E545A6.6040008@restena.lu>
In-Reply-To: <51E545A6.6040008@restena.lu>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: radext@ietf.org
Subject: Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 13:36:47 -0000

Stefan Winter wrote:
> Good :-) It would be very simple and straightforward to write an I-D
> registering an integer attribute "Packet-TTL", with an integer value
> that is to be decremented.

  It may also be good to add a "Global-Packet-ID".  The idea would be
that it's a 64-bit or 128-bit opaque token, created by the client.  (Or
a proxy close to the client).  Other proxies would then never touch it.

  It could be cached by proxies for a period of time.  If a proxy sees
the same Global-Packet-ID in two different packets, it knows there's a
loop or retransmission via an alternate path.

> Yet another new DNS record would add much complexity to the draft; for
> little benefit. The TTL would solve this in one go.

  The TTL wouldn't solve the forward / reverse problem.  Using a reverse
IP would catch that.

>>   The document doesn't discuss reverse IP records or lookups.
> 
> It doesn't, because the authentication of the results learned is done by
> X.509 certificate inspection during connection time. I find that a much
> more reliable mechanism than reverse IP checks.

  That's true.

> (if an attacker can fake
> an A record, then it may also be able to fake a PTR record).

  I'm not sure I agree there.  I can fake an A record for my own domain.
 But I can't fake a reverse IP record for an IP which you control.

> Having it attempt /one/ TLS connection to the target doesn't consume
> much computing power. The discovering server could also keep a list of
> servers it has recently tried and found unacceptable; and save itself
> the effort of trying over and over again.

  What about the discovered server?  It would be subject to attacks by
third parties.

  i.e. realm A lists proxy B as it's server via DDNS.  It then publishes
an article saying "free net access by using user@realmA".  Everyone
wanting free net access contacts proxy B.  Repeat for 10,000 domains,
and Proxy B gets a DoS.

  This should ideally be discovered *before* a using high-cost
connection like TLS.  That's why a reverse lookup is useful.

  Now... this is RADIUS, and there aren't that many RADIUS proxies.  But
if the DDNS draft makes it easier, there will be more RADIUS proxies,
and more possibility for such an attack.

> This could be mentioned in Security Considerations, if you find it
> useful/important to have?

  Yes.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email