IETF Logo Mail Archive

Re: [radext] Adam Roach's Discuss on draft-ietf-radext-coa-proxy-05: (with DISCUSS and COMMENT)

Alan DeKok <aland@deployingradius.com> Tue, 14 August 2018 15:01 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9F7812426A; Tue, 14 Aug 2018 08:01:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpQ7VMOsrKHR; Tue, 14 Aug 2018 08:01:30 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6B1130DC8; Tue, 14 Aug 2018 08:01:30 -0700 (PDT)
Received: from [192.168.20.32] (CPEf4cc55220745-CM64777ddff610.cpe.net.cable.rogers.com [173.32.191.82]) by mail.networkradius.com (Postfix) with ESMTPSA id C10F14DB; Tue, 14 Aug 2018 15:01:28 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <0d9cc14c-d065-87fa-5ea1-f76fde1c9c2f@nostrum.com>
Date: Tue, 14 Aug 2018 11:01:27 -0400
Cc: Winter Stefan <stefan.winter@restena.lu>, radext@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-radext-coa-proxy@ietf.org, radext-chairs@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B33A4595-EDBE-41C5-9FD6-5EEACB6EEDE4@deployingradius.com>
References: <153421241151.25112.5942779659969287406.idtracker@ietfa.amsl.com> <DCBC0F8A-E486-4844-8C7A-CCDEBD41A0E4@deployingradius.com> <0d9cc14c-d065-87fa-5ea1-f76fde1c9c2f@nostrum.com>
To: Adam Roach <adam@nostrum.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/wkr0rt2ZU61qWnM7zL0hr2uxtzM>
Subject: Re: [radext] Adam Roach's Discuss on draft-ietf-radext-coa-proxy-05: (with DISCUSS and COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2018 15:01:33 -0000

On Aug 14, 2018, at 9:43 AM, Adam Roach <adam@nostrum.com> wrote:
> Generally, when integrity is important, so is anti-replay. If you care that remote parties can't create their own novel values, it would be surprising not to care about them squirreling away values they've seen before and using them later. Conversely, if you don't care about replay, you probably need to think really hard about why you care about integrity.
> 
> Of course, it's completely possible that I'm misunderstanding what you mean by "verifiable" in the original text (which gets to the heart of my original comment: there are terms of art for the properties that cryptography provides, and you really want to use them for the purpose of clarity.)

  In this situation, all we really care about is that the opaque token is known.  And it really should be opaque.  It's just bits, and not necessarily containing anything in particular.

>>   If a home server replays a previously-seen token, then one of two things will happen:
>> 
>> - the packet will go to the NAS which hosts the user session, and will be processed normally
>> 
>> - the packet will go to a different NAS, and will be NAKd
> 
> Sure. If that's the answer, then it seems like it's the same answer if the home server creates a new, invalid token; and that would mean that integrity isn't needed.

  Yes.

> I'm afraid you need to go back and figure out what your actual security requirements are here by asking what attacks might exist, and what their consequences are. The current text seems to be kind of an afterthought without any real analysis.

  Maybe I'm missing something, but it's pretty hard to "attack" an opaque token.  It can be (a) modified, or (b) replayed.  If it's modified, it doesn't match anything and it gets ignored.  If it's replayed, it's still a recognized token, and that's OK.

  All of the attacks here *also* depend on systems knowing the RADIUS shared secret.  i.e. these systems are already part of a trusted network.  They are already trusted to not replay accounting packets, authentication packets, forge accounting traffic (to increase bills), etc.

  The attacks for CoA here are nothing new.  The security is terrible, but we've lived with it for 25+ years, and it's what we have.

  Finally, if trusted parties attack you, the fix is usually legal, not technical.

  I'll update the Security Considerations section with some text on why roaming consortiums are open to forging.  But I think the risks here are fairly well known.

> Sorry, by "more than 32 bytes," I meant that the hash itself would take 32 bytes. You'd also have however long the Visited domain's identifier for the NAS is (which you originally thought would take 20 bytes), plus some number of nonce bytes (to prevent other networks from simply counting unique token values). You're really looking at more like 96 bytes or so.
> 
> Note that this gets somewhat smaller if integrity protection isn't important.

  Integrity protection isn't important.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email