Re: [radext] Question about CoA-Request and Tunnel-Password
"David B. Nelson" <d.b.nelson@comcast.net> Wed, 10 May 2017 01:47 UTC
Return-Path: <d.b.nelson@comcast.net>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E23F2128AFE for <radext@ietfa.amsl.com>; Tue, 9 May 2017 18:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hKL84oXMBi5Y for <radext@ietfa.amsl.com>; Tue, 9 May 2017 18:47:45 -0700 (PDT)
Received: from resqmta-po-09v.sys.comcast.net (resqmta-po-09v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EF52126DED for <radext@ietf.org>; Tue, 9 May 2017 18:47:45 -0700 (PDT)
Received: from resomta-po-02v.sys.comcast.net ([96.114.154.226]) by resqmta-po-09v.sys.comcast.net with SMTP id 8GiZdMVpQDKCQ8GjAdiXg8; Wed, 10 May 2017 01:47:44 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1494380864; bh=JNMeSB4V/IsCOaSeZbVYb3NNuALiV3rLoStFhTXMfqk=; h=Received:Received:Mime-Version:Content-Type:Message-Id:From: Subject:Date:To; b=FqaA8gI3fHuirBVL8xXIybWWwEPmefWoTAsF5OQ5+L2GeHndvqUl31uLYEYGoBUl+ KDD1YTUfml6R1dnrHDeSp9u7Os/a/kdWP7KkMUvK3t4+JYx/25fgAECKYI6+9dmrzB EqbAHV/+adz45u9iJ48kKQD9Pfukl+BhUsmhiFARrKLbBrQVTLiCnKJRZhgVjrWAB/ KSuHYQtgO8bOvf4qRl40uYy13B+8d/SLLAPzJ1LojAhFbYllV/d7DtvAs6rbjS8Shq XNFwrFWb2SfKJ7xR+BgsAF3yenZ+xtNpUhcQ+V2XSsY/MdsZsV9C3OVlNQox+t0CCK P+MF6Pu5M8MXQ==
Received: from [192.168.40.67] ([173.162.255.2]) by resomta-po-02v.sys.comcast.net with SMTP id 8Gj6dkjBQlZOx8Gj8d8JGl; Wed, 10 May 2017 01:47:44 +0000
References: <BBF30238-4DBC-4793-898B-7DE1BE13ED6C@deployingradius.com> <9F6FAC17-FEBE-4864-8D50-BE62C40C1D61@gmail.com> <23BFFA8D-0B95-4EE7-B977-75BD902BBBEB@deployingradius.com>
In-Reply-To: <23BFFA8D-0B95-4EE7-B977-75BD902BBBEB@deployingradius.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <CA3072DB-07D4-41FF-8808-8DB0CF67E600@comcast.net>
Cc: Bernard Aboba <bernard.aboba@gmail.com>, "radext@ietf.org" <radext@ietf.org>
X-Mailer: iPhone Mail (11D257)
From: "David B. Nelson" <d.b.nelson@comcast.net>
Date: Tue, 09 May 2017 21:47:38 -0400
To: Alan DeKok <aland@deployingradius.com>
X-CMAE-Envelope: MS4wfGtics6e3D6MM+eOCYNzs4OtKrsVTxpC01fk9+A6MdmLYKmGsKJtHZkjU9jUijPUEenIk7cQuxHM5axHM5eYxXpxXkoy47Hu2B5JOxlZCAo3OVoAWdFv A9lIlydcf6BO/LVzhg/i8CjFrXfOsP7JZqxBG2J2xY859CSAh2nXAAB/C+7myl5UO/Yj2sJ0JBRg2LSi8v04Xjx5sj37p0TGg0NPniTpRpb3MUBsZDSRbHvd S5GFZ/hwUJLoPrzgH4BRRTUjbhbFVADrKdyb26Xm00Q=
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/zb3ORqg4uEHUVN3ocVpVhav4VFw>
Subject: Re: [radext] Question about CoA-Request and Tunnel-Password
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 01:47:47 -0000
Out of curiosity, do you have any notion of the relative prevalence of RADIUS over TLS in deployments today? Sent from my iPhone - Not proofread. > On May 9, 2017, at 9:36 PM, Alan DeKok <aland@deployingradius.com> wrote: > > >> On May 9, 2017, at 8:30 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote: >> >> Yeah, this is an instance where RADIUS's lame security is even "lamerer". Does anyone still use Tunnel-Password? > > Not a lot. And I've never seen it used in CoA-Request packets, which makes this issue less of a problem. > > Any attack based on the limited randomness available is mitigated by the fact that even if you had a 100% attack against Tunnel-Password, you still couldn't forge request packets. > > So the main vulnerability appears to be that it's easier to brute-force crack Tunnel-Password, as there are only 15 bits of randomness available. Which means pre-computation of hashes becomes that much easier... > >> Makes me wonder if enough evidence has accrued to justify declaring RADIUS security deprecated and recommend a replacement. > > I'd suggest requiring DTLS, except the most widely used TLS implementation has had security issue after issue with their DTLS replacement. > > Deprecating UDP-only RADIUS would be a procedural step. It wouldn't really affect existing (or most future) deployments. > > My $0.02 is to just move to RADIUS over TLS, and call it done... > > What other deprecation / replacement would you suggest? > > Alan DeKok. > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext
- [radext] Question about CoA-Request and Tunnel-Pa… Alan DeKok
- Re: [radext] Question about CoA-Request and Tunne… Bernard Aboba
- Re: [radext] Question about CoA-Request and Tunne… Alan DeKok
- Re: [radext] Question about CoA-Request and Tunne… David B. Nelson
- Re: [radext] Question about CoA-Request and Tunne… Alan DeKok