IETF Logo Mail Archive

[secdir] SECDIR Review of draft-ietf-radext-design-05

"Hallam-Baker, Phillip" <pbaker@verisign.com> Mon, 09 February 2009 22:05 UTC

Return-Path: <pbaker@verisign.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D01B3A6C04; Mon, 9 Feb 2009 14:05:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.413
X-Spam-Level:
X-Spam-Status: No, score=-5.413 tagged_above=-999 required=5 tests=[AWL=-0.211, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jaKYCqxsA6t3; Mon, 9 Feb 2009 14:05:03 -0800 (PST)
Received: from colibri.verisign.com (colibri.verisign.com [65.205.251.74]) by core3.amsl.com (Postfix) with ESMTP id 3AAF63A6BCE; Mon, 9 Feb 2009 14:05:03 -0800 (PST)
Received: from MOU1WNEXCN02.vcorp.ad.vrsn.com (mailer2.verisign.com [65.205.251.35]) by colibri.verisign.com (8.13.6/8.13.4) with ESMTP id n19LfJ7Y030759; Mon, 9 Feb 2009 13:41:19 -0800
Received: from MOU1WNEXMB09.vcorp.ad.vrsn.com ([10.25.15.197]) by MOU1WNEXCN02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 9 Feb 2009 14:05:00 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C98B02.7333B3FC"
Date: Mon, 09 Feb 2009 14:04:59 -0800
Message-ID: <2788466ED3E31C418E9ACC5C3166155768B26D@mou1wnexmb09.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: SECDIR Review of draft-ietf-radext-design-05
Thread-Index: AcmLAnL6gKJijmdjRPy/u9JF0sLnpA==
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: gdweber@gmail.com, aland@freeradius.org, radiusext@ops.ietf.org
X-OriginalArrivalTime: 09 Feb 2009 22:05:00.0131 (UTC) FILETIME=[7388CB30:01C98B02]
Cc: iesg@ietf.org, secdir@ietf.org
Subject: [secdir] SECDIR Review of draft-ietf-radext-design-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2009 22:05:04 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments. 
 
The purpose of this document is to explain the workings of RADIUS attributes for the benefit of those involved in the design of future RADIUS attribute specifications. As such the document is very clear and provides advice that will no doubt prove useful.
 
The Security Considerations section could do with some additional work however.
 
The discussion of encryption of attributes is somewhat confusing. Mention is made of encryption, followed by mention of MD5 and SHA1. While it was common to describe the use of one way functions to obfusticate passwords as 'encryption' in the 1980s, this is not current terminology and this needs to be explained.
 
Also I would like to see specific mention made of whatever provisions are made for message authentication in the protocol, if none, then this should also be specified. This is a major concern in what is essentially a protocol that supports the authentication/authorization process.
 
Finally, I would like to see some mention of the use of a secure tunnel such as IPSEC and which types of attributes might need superencryption within such a tunnel.

v2.23.0 | Report a Bug | By Email