Re: [secdir] Secdir review of draft-ietf-radext-dynamic-discovery-12

Stefan Winter <> Fri, 06 March 2015 08:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A4EED1ACD42; Fri, 6 Mar 2015 00:35:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.391
X-Spam-Status: No, score=0.391 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_NAIL=2.3, T_RP_MATCHES_RCVD=-0.01, WEIRD_PORT=0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QQ8t5gfXQqwC; Fri, 6 Mar 2015 00:35:49 -0800 (PST)
Received: from ( [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9C6B51ACD3E; Fri, 6 Mar 2015 00:35:49 -0800 (PST)
Received: from ( [IPv6:2001:a18:1:8::155]) by (Postfix) with ESMTPS id 7954B43995; Fri, 6 Mar 2015 09:35:48 +0100 (CET)
Message-ID: <>
Date: Fri, 06 Mar 2015 09:35:48 +0100
From: Stefan Winter <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "Brian Weis (bew)" <>, Alan DeKok <>
References: <> <> <>
In-Reply-To: <>
OpenPGP: id=8A39DC66; url=
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="sWtGc8NO9vtOQ6WiHL8BfNQ3o1WNVMHs1"
Archived-At: <>
Cc: The IESG <>, "" <>, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-radext-dynamic-discovery-12
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Mar 2015 08:35:51 -0000


> The clarification below was very useful.  Perhaps the authors will find it valuable to include the references you mentioned, and clarify that there is expected to be a limited number of trusted (preferably one) trusted to issue certificates for the consortium use case.

The NAI reference was already in the document, and I've pulled in text
from the RADIUS/DTLS reference directly into the document.

The text regarding the small set of CAs is now also in.


Stefan Winter

> Thanks,
> Brian
> On Jan 4, 2015, at 8:48 PM, Alan DeKok <> wrote:
>> On Dec 24, 2014, at 4:05 PM, Brian Weis <> wrote:
>>  I’m not the document author, but I can help give some clarification.
>>> There’s not much background given, and having an overview of the solution architecture in the Introduction would be useful. I.e., a description and picture showing the actors and the communication flows between them.
>>  The current roaming behaviour is discussed in the NAI document, Section 3.  Unfortunately, it also assumes some familiarity with the field.
>>  Perhaps the simplest explanation is that RADIUS is client-server.  Clients request authentication on behalf of users, and servers authenticate the users.  The key thing is that historically, proxying has been static, and provisioning of proxy configuration has been entirely outside of the protocol.  i.e. proxies operate by consensus and habit, not by standard behaviour.
>>  A long description of the Eduroam consortium is available as an individual draft:
>>  However, *commercial* proxies do not operate in the eduroam model.  Commercial proxies are largely “star” configurations.  An interconnect company sits at the centre of a star.  It may connect to one or more other interconnect providers.  Routes are largely static, and are usually updated by hand, after legal contracts have been exchanged.
>>  This document is standardizing provisioning of RADIUS proxying, via dynamic methods.
>>> I don’t have complete confidence that I correctly understood which actors are involved in the RASIUS/TLS transaction -- in some sections it seems that RADIUS clients are initiating requests and sometimes RADIUS servers and I thought only clients contacted servers. An overview of the actors would probably have clarified that.
>>  Clients are the only ones initiating requests.  In some cases, the system running RADIUS can behave as a client or as a server, depending on it’s needs.  That makes it more complicated.
>>> If I understand correctly how roaming consortiums currently work today, a RADIUS client within a consortium needing to make a AAA call to a RADIUS server in another realm does not contact the server directly.
>>  s/does not/may not/
>>> Instead, it routes the request through a hierarchy of RADIUS servers following roots of trust.
>>  That’s how eduroam works.  Commercial proxies are configured differently.
>>  However, they both operate on a “fire and forget” model.  A RADIUS server which wants to proxy a request somehow (magically, almost) determines which upstream server to use.  The “magic” part of that process is what the dynamic discovery document is trying to standardize.
>>> Section discusses the use of TLS cipher suites, and makes the point that certificate based cipher suites need to be used because there won’t be any pre-distributed secret key material available. That’s good advice. I think the section should also give advice on choosing trust roots. This is important because the identity of the server was gotten in an untrusted manner (from unsecured DNS), and the certificate it presents contains information used for  authorization of a server (i.e., SubjectAltName). If a RADIUS client were to accept a certificate signed by a wide range of trust roots (e.g, the set of roots used by browsers, where the trustability of many CAs in the hierarchy is unknown) then the RADIUS client would be  ill advised to trust authorization information claims in the hierarchy.
>>  Current RADIUS practice uses a limited set of CAs.  Generally, only one.  This use-case is *very* different than that for browsers.  This document should make that clearer.  Shipping a RADIUS server (or client) with a list of pre-configured CAs is a *very bad* idea.  RFC 6614 (RADIUS over TLS) should probably have had such statements.  RFC 7360 (RADIUS over DTLS) has some related text which would be useful here:
>>  Section 10.4: ...
>>   Therefore, clients SHOULD NOT be pre-configured with a list of known
>>   public CAs by the vendor or manufacturer.  Instead, the clients
>>   SHOULD start off with an empty CA list.  The addition of a CA SHOULD
>>   be done only when manually configured by an administrator.
>>   This scenario is the opposite of web browsers, where they are pre-
>>   configured with many known CAs.  The goal there is security from
>>   third-party observers, but also the ability to communicate with any
>>   unknown site that presents a signed certificate.  In contrast, the
>>   goal of RADIUS/DTLS is both security from third-party observers and
>>   the ability to communicate with only a small set of well-known
>>   servers.
>>> On the other hand, if the trust roots were restricted to a set of highly trusted trust roots maintained by the consortium, then the authorization information in the certificate would be trustable. This should be explained.
>>  Generally there’s only one root CA for a consortium.  I’m not sure what the use-case would be for multiple root CAs.
>>  Alan DeKok.

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me