IETF Logo Mail Archive

Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04

Peter Deacon <peterd@iea-software.com> Fri, 05 April 2013 18:18 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4173921F97AE for <radext@ietfa.amsl.com>; Fri, 5 Apr 2013 11:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.475
X-Spam-Level:
X-Spam-Status: No, score=-2.475 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yvu5QfoL+BBg for <radext@ietfa.amsl.com>; Fri, 5 Apr 2013 11:18:24 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id 8066821F8681 for <radext@ietf.org>; Fri, 5 Apr 2013 11:18:24 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005878303@aspen.internal.iea-software.com>; Fri, 5 Apr 2013 11:18:23 -0700
Date: Fri, 05 Apr 2013 11:18:18 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <515ED047.3040200@deployingradius.com>
Message-ID: <alpine.WNT.2.00.1304051020120.3988@SMURF>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <tslli8xnoms.fsf@mit.edu> <515ED047.3040200@deployingradius.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: Sam Hartman <hartmans@painless-security.com>, radext-chairs@tools.ietf.org, radext@ietf.org
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 18:18:25 -0000

On Fri, 5 Apr 2013, Alan DeKok wrote:

> 3. Transition Path

> Transitioning to DTLS is a process which needs to be done carefully.
> A poorly handled transition is complex for administrators, and
> potentially subject to security downgrade attacks.  It is not
> sufficient to just disable RADIUS/UDP and enable RADIUS/DTLS.  That
> approach would result in timeouts, lost traffic, and network
> instabilities.

> The end result of this specification is that nearly all RADIUS/UDP
> implementations should transition to using RADIUS/DTLS.  In some
> cases, RADIUS/UDP may remain where IPSec is used as a transport, or
> where implementation and/or business reasons preclude a change.
> However, long-term use of RADIUS/UDP is NOT RECOMMENDED.

> This section describes how clients and servers should transition to
> DTLS.  There is a fair amount of discussion around this transition, as
> it is critical to get it correct.  We expect that once implementations
> have transitioned to RADIUS/DTLS, the text in this section will no
> longer be relevant.

> 3.1 Server Transition to DTLS

> As this specification permits server implementations to accept both
> RADIUS/UDP and RADIUS/DTLS packets on the same port, we require a
> method to disambiguate packets between the two protocols.  This method
> is applicable only to RADIUS/DTLS servers.
> The disambiguation method leverages the RADIUS/UDP requirement that

> clients be known by source IP address.  RADIUS/DTLS servers MUST treat
> packets from unknown IP addresses as being DTLS.  This requirement

> does not mean that the server is required to accept these packets.  It
> means that if the server chooses to accept them, they are to be
> treated as being DTLS.

I don't think this will work for us.  This is data that people use to 
flag/report possible new clients they should have known about, existing 
clients with changed addresses and plain old configuration errors.

It can be a configuration option, done conditionally within the context 
protocol disambiguation or even a recommendation but not something 
unconditionally required.

> For packets from known IP addresses RADIUS/DTLS servers MUST maintain
> a boolean "DTLS Required" flag for each client that indicates if it
> requires a client to use RADIUS/DTLS.  If the flag is "true" then all
> packets from that client MUST be processed as RADIUS/DTLS.

> The transition to RADIUS/DTLS is performed only when the "DTLS
> Required" flag is "false".  This setting means that the client is
> known to support RADIUS/UDP, but may also support RADIUS/DTLS.
> Packets from the client need to be examined to see if they are
> RADIUS/UDP or RADIUS/DTLS.  The protocol disambiguation method
> outlined below in Section 5.1.2 MUST be used to determine how received
> packets are treated.

Suggest reversing this.  Have the client maintain the flag.  If DTLS 
handshake has succeeded then client uses DTLS from then on for any 
inquiries without the option of automatically falling back to UDP.

Servers would still maintain flag but it would only be a manually turned 
knob to indicate security level it is willing to accept.

This causes less breakage for the case of multiple clients behind a single 
IP where they can not all be upgraded at once to DTLS.  Whether client or 
server does the enforcement seems moot as the same outcome is realized 
either way.

The more I think about it the more I agree with Joe's points on separate 
UDP ports.

regards,
Peter

v2.39.1 | Report a Bug | By Email | System Status