IETF Logo Mail Archive

Re: Optimizing Authentication - periodic re-authentication

Alan DeKok <aland@deployingradius.com> Tue, 30 January 2024 12:03 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0F6DC14F706; Tue, 30 Jan 2024 04:03:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJcxvC37nMJ0; Tue, 30 Jan 2024 04:03:47 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECC52C14F6F7; Tue, 30 Jan 2024 04:03:45 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id D9C2610D; Tue, 30 Jan 2024 12:03:40 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: Optimizing Authentication - periodic re-authentication
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <20240128202100.GA11839@pfrc.org>
Date: Tue, 30 Jan 2024 07:03:39 -0500
Cc: draft-ietf-bfd-optimizing-authentication@ietf.org, rtg-bfd@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <EDD832FA-D02A-47A8-8EBE-B75D96333126@deployingradius.com>
References: <20240128202100.GA11839@pfrc.org>
To: Jeffrey Haas <jhaas@pfrc.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/6eUknCAeIZJEzzGxCp9eX4hBN5o>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 12:03:52 -0000

On Jan 28, 2024, at 3:21 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> There's at least two possible ways to address this:
> 1. We simply don't worry about periodic re-auth for no-auth or NULL-auth.
> We thus don't protect against this attack.  If you care about this attack,
> use Meticulous Keyed ISAAC and the attack goes away.
> 2. We test periodic strong authentication by using a Poll sequence.  If we
> don't receive a Fin within the Detect Interval with strong auth, compromise
> should be expected.

  I think that the recommendation should be "if not using strong authentication or ISAAC, then periodically use poll mode".

> [1] Yes... the only attack we have in this mode is "keep the session Up when
> it might otherwise not be".  I expect the usual hilarity when we get to
> security area review.

  Not all attacks have negative effects.

  I'm reminded of a "buffer overflow" report from many years ago for some of my software.  The overflow wasn't a network-based overflow, which would have been worrying.  Instead, the report was "it is possible to create configuration file data which results in overflow, which can make the software do things".

  I think it took about 4 rounds before I manage to get it through that if an attacker can write to the configuration files, he can just *configure* the software to do something.  He doesn't need to "exploit" it with an overflow.

  I that hope that the secdir review can avoid commenting on useless and irrelevant attacks.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email