IETF Logo Mail Archive

Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04

Sam Hartman <hartmans@painless-security.com> Mon, 08 April 2013 15:35 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C5C621F93E4 for <radext@ietfa.amsl.com>; Mon, 8 Apr 2013 08:35:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUGvG4H8Wt7j for <radext@ietfa.amsl.com>; Mon, 8 Apr 2013 08:35:03 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 9D45B21F93E2 for <radext@ietf.org>; Mon, 8 Apr 2013 08:35:03 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS id ECBD620556; Mon, 8 Apr 2013 11:33:39 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id DFE574499; Mon, 8 Apr 2013 11:35:00 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Peter Deacon <peterd@iea-software.com>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <tslli8xnoms.fsf@mit.edu> <515ED047.3040200@deployingradius.com> <alpine.WNT.2.00.1304051020120.3988@SMURF> <5160255B.40409@deployingradius.com> <alpine.WNT.2.00.1304060913320.3988@SMURF> <5160B785.8070703@deployingradius.com> <tslppy5i2dm.fsf@mit.edu> <5162C651.2000200@deployingradius.com> <alpine.WNT.2.00.1304080801440.1952@littlesmurf>
Date: Mon, 08 Apr 2013 11:35:00 -0400
In-Reply-To: <alpine.WNT.2.00.1304080801440.1952@littlesmurf> (Peter Deacon's message of "Mon, 8 Apr 2013 08:20:53 -0700 (Pacific Daylight Time)")
Message-ID: <tslppy5ghnf.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: radext@ietf.org, Alan DeKok <aland@deployingradius.com>
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 15:35:10 -0000

>>>>> "Peter" == Peter Deacon <peterd@iea-software.com> writes:

    Peter> On Mon, 8 Apr 2013, Alan DeKok wrote:
    >> Sam Hartman wrote:
>> Can you point to the documentation of the hard requirement for
    >>> server-side memory in upgrade?  I'd like to understand how we
    >>> got there and the discussions/arguments leading to that.

    >> Down-bidding attacks.

    Peter> A bidding down attack requires client or server to be tricked
    Peter> into accepting security lower than highest supported by both
    Peter> peers.  See the table in my previous message.

OK.
So, RADIUS/UDP is easier to attack than RADIUS/DTLS.
Let's assume a server requires message authenticators for UDP.

If the server forbids UDP-after-DTLS, then once DTLS has happened, an
attacker can no longer attack that particular UDP secret.
However if the client is responsible for enforcing the attack, then an
attacker can try and convince the server to accept a request using the
UDP secret in question.

I don't want to argue about whether it's a bid-down attack or not.
It is a real attack.
It's almost certainly in our threat model.

It's almost certain that a policy control of forbid UDP as the
mandatory-to-implementmechanism combined with Alan's proposal for
latching on use of DTLS as a SHOULD is sufficient to meet security
review.
If you turn off the latching behavior  then  you have a residual risk.

That said, I think I've also convinced myself that having the latching
behavior be mandatory-to-implement but not mandatory-to-use on the
server is also fine.

So,  here's where I stand on this issue:

* we need to do something in this space.

* I'm against mandating that clients or proxies support upgrading from
  UDP to DTLS without a restart/flag day

* I am in favor of requiring servers support clients upgrading without a
  flag day. Alan's latching proposal seems like a fine option to get
  that either as a SHOULD or MUST.

--Sam

v2.39.1 | Report a Bug | By Email | System Status