IETF Logo Mail Archive

Re: [radext] Server identity in RADIUS/(D)TLS-bis

Alan DeKok <aland@deployingradius.com> Mon, 15 April 2024 12:50 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C575DC14F69B for <radext@ietfa.amsl.com>; Mon, 15 Apr 2024 05:50:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74U2Qxfdowd8 for <radext@ietfa.amsl.com>; Mon, 15 Apr 2024 05:50:48 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A582DC14F680 for <radext@ietf.org>; Mon, 15 Apr 2024 05:50:46 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 7FCDD8D; Mon, 15 Apr 2024 12:50:43 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <d86d5c79-3f24-4e84-984a-e0e13c6e5648@dfn.de>
Date: Mon, 15 Apr 2024 08:50:41 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <30DA0F78-CCCC-41E1-AB87-2780EBD469A8@deployingradius.com>
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <10347.1712778967@obiwan.sandelman.ca> <7D282A57-B68E-43DA-A6A2-7E14A8C09119@deployingradius.com> <5b5d0dc0-a81a-415e-ac01-de8b365a6ea0@dfn.de> <548E18B4-77BB-4658-B17D-56212F324436@deployingradius.com> <42665AEE-C6A2-489F-BFFC-0977F0DCA84F@deployingradius.com> <d86d5c79-3f24-4e84-984a-e0e13c6e5648@dfn.de>
To: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/rL5OeKqbums_G0G5TndeTl6aiFI>
Subject: Re: [radext] Server identity in RADIUS/(D)TLS-bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2024 12:50:49 -0000

On Apr 14, 2024, at 5:20 PM, Jan-Frederik Rieckers <rieckers@dfn.de> wrote:
> My head is spinning a bit and I'm trying to understand everything that was said and what that means for the specification.

  Less is more. 

  After going around a bit, I think we're best off avoiding the issue of identity.  RFC 7585 says how to connect to a server dynamically.  Every other kind of connection is configured manually by an administrator.

  The TLSbis document should discuss how to verify certificates for the TLS session, and leave pretty much everything else unsaid.  This is the RADIUS tradition.

> The current draft says in the section about detecting live servers (3.3) this:
>> If a RADIUS/(D)TLS client has multiple connection to a server, it MUST NOT decide to mark the whole server as DOWN until all connections to it have been marked DOWN.
> 
> So this is the origin of this discussion. We need to have a common understanding of what "multiple connections to a server" or "whole server" means in this context.

  Either RFC 7585 destination, or whatever the administrator configured as "the same server".

> From my understanding, if my software opens a new connection to the same peer, but with a different certificate/SAN/

  How can the "same" peer present a different certificate?

  I see it as:

a) RFC 7585 says "connect to example.com", and the server presents an "example.com" certificate which matches the checks in RFC 7585.  It doesn't matter if the certificate is different from one used by another RFC 7585 connection.  DNS points to it, and the checks pass.  It's the "same" certificate.

  Consider also moving servers.  If you have a connection open, and the domain updates DNS to a new server, then the new server should be considered to be the same one.  If the client does not treat both old/new connections as being to the same server, then the domain can never update DNS or certificates!

b) connection pools (IPs, ports, etc) as manually configured by an administrator.  The only difference between this situation and RFC 7585 is where the "connection to example.com" configuration comes from.  The rest of the analysis is the same.

> .... or -- looking at it from another perspective -- if a peer with a different IP address presented the same certificate, those connections should be considered as connections to a different server, because they may have different policies attached to them, may be in different load balancing groups, may be two different instances in the same load balancing groups, ...

  If RFC 7585 or the admin says "these two connections belong to example.com", then they both belong to example.com.  I don't see why (or how) the client would treat different connections as being to different destinations.

  i.e. if the admin says "server A and server B are both authoritative for example.com", then it makes no sense for the admin to also put different policies on those servers.  That seems like a pretty major misconfiguration to me.

> We don't need to go into detail about Routes or Identity of the RADIUS server (server meaning here: the actual final destination of the RADIUS communication, ignoring proxies), because that is probably irrelevant for this specification. What we want is to identify the same peer for lifeness checks, and we don't care whether it is a proxy or the authoritative RADIUS server.

  I disagree.  Each connection is independent.  We don't need to identity the same peer, ever!

  A client has a pool of connections to a destination realm.  When all of the connections are down, then packets to that realm are not routable.

  To repeat my other message in part, I think the following rules are the simplest description of what to do:


1) RFC 7585 clients SHOULD use SNI.  This information can be used by a server which handles multiple realms, in order to present a matching certificate for that realm.

2) Other TLS clients MAY use SNI.  The SNI realm SHOULD be configured by the administrator of the RADIUS client.  The SNI realm does not need to be the same as any realm in packets sent by the client.

3) TLS connections MUST operate application-layer watchdog checks as per RFC 3559 Section 3.4.  TLS connections SHOULD also enforce idle timeouts, lifetimes, etc.

4) Any connection liveliness checks MUST be applied on a per-connection basis.  There may be other connections to the same destination which are up and active.

5) When all connections to a destination realm or server are down, packets to that destination cannot be forward, and should be discarded.

6) Other issues of load-balancing, multiple connections to the same destination, etc. are outside of the scope of this document.


  I think the only new thing here is (5).  RFC 2865 describes proxying, but doesn't say what to do when a home server is down.  I believe every RADIUS server does this already, but it's good to have that stated in a document.


  Alan DeKok.

v2.23.0 | Report a Bug | By Email