Re: [secdir] Secdir review of draft-ietf-softwire-6rd-radius-attrib-07

Bernard Aboba <> Sun, 25 November 2012 20:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EA64521F8658; Sun, 25 Nov 2012 12:00:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.479
X-Spam-Status: No, score=-102.479 tagged_above=-999 required=5 tests=[AWL=0.119, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rOssbmuidoE7; Sun, 25 Nov 2012 12:00:32 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id F089321F8683; Sun, 25 Nov 2012 12:00:31 -0800 (PST)
Received: from BLU002-W217 ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Sun, 25 Nov 2012 12:00:31 -0800
Message-ID: <BLU002-W217327878625E09B465E58893580@phx.gbl>
Content-Type: multipart/alternative; boundary="_1d696ece-3a08-4474-ba8e-6a3d8c3075ec_"
X-Originating-IP: []
From: Bernard Aboba <>
To: "Joseph Salowey (jsalowey)" <>
Date: Sun, 25 Nov 2012 12:00:30 -0800
Importance: Normal
In-Reply-To: <>
References: <>, <>
MIME-Version: 1.0
X-OriginalArrivalTime: 25 Nov 2012 20:00:31.0027 (UTC) FILETIME=[85B9B830:01CDCB47]
Cc: "" <>, "" <>, "" <>, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-softwire-6rd-radius-attrib-07
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 25 Nov 2012 20:00:33 -0000

> Joseph Salowey (jsalowey) wrote:

>Therefore RADIUS messages using the 6rd attribute MUST include a 
message-authenticator attribute or another attribute that is capable of 
authenticating the RADIUS packet.  
>   I missed that.  I agree with the requirement for a Message-Authenticator.

 Yes, as currently specified the Access-Request is not authenticated or 
integrity protected, and is therefore susceptible to forgery.  

> > 1.  A RADIUS message used for call-check does not contain any information that would authenticate the request.  

[BA] There isn't even any information with which to authorize the request.  The "Call Check" Service-Type was designed for situations where authorization can be determined via the Called-Station-Id or Calling-Station-Id attributes, which originally contained telephone numbers.  In RFC 3580, Called/Calling-Station-Id could also contain a MAC address, but the principle was similar -- an unique (non-authenticated) identifier which could be used to determine whether a call was authorized.  Here is what RFC 2865 Section 5.6 says about Call Check:

     Call Check          Used by the NAS in an Access-Request packet to
                          indicate that a call is being received and
                          that the RADIUS server should send back an
                          Access-Accept to answer the call, or an
                          Access-Reject to not accept the call,
                          typically based on the Called-Station-Id or
                          Calling-Station-Id attributes.  It is
                          recommended that such Access-Requests use the
                          value of Calling-Station-Id as the value of
                          the User-Name.
However, this document does not say anything about use of the Calling-Station-Id or Called-Station-Id attributes, or the value of the User-Name attribute.  Given that, the use of Service-Type = "Call Check" would not seem to apply.

> > 2.   I'm not so familiar with the deployment scenario here so I have a question.  Is it possible that the BNG was involved in a previous transaction with the AAA server to authenticate a user?   If this is the case then the BNG may have received a state attribute in the access-accept message.   Returning this state attribute to the AAA server allows the AAA server to link the 6rd request with the original authentication transaction.    If this is a possible scenario the document should specify this since state attributes are not typically used with the call-check service.  Also if its the case that there could have been a related previous authentication session it seems that it should be possible to include this attribute in an access-request as part of the authentication exchange.  
>   I *think* that the answer here is "no".  The document previously used
> Service-Type = Authorize-Only and a State attribute.  After some
> discussion, it was decided to change that to Call-Check, because there
> was no way to obtain a State attribute.

[BA] As I understand it, at least one of the scenarios described in the document would involve the retrieval of DHCP information along with a user authentication.  In such a scenario, why would either Authorize-Only or Call Check be needed?

> 3.  It was not clear in the specification what is sent in the access-request message is the BNG is looking to get a IPv6-6rd-configuration attribute in the access accept.  It seems that you would need to send this attribute in the request if you expected it in the response or else the AAA server would not be able to un-ambiguously be able to service the request; there are other uses for the call-check service.   I think you should specify that the 6rd attribute must be in the request if you want to see it in the response.   

[BA] Yes.  Otherwise the RADIUS server would not know that an IPv6-6rd-configuration attribute was needed.