Re: [secdir] Secdir review of draft-ietf-radext-dynamic-discovery-12

Alan DeKok <> Mon, 05 January 2015 04:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C80EB1A1ADF; Sun, 4 Jan 2015 20:48:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.4
X-Spam-Status: No, score=0.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_NAIL=2.3] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1bYfhKhWcX62; Sun, 4 Jan 2015 20:48:56 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 628F91A1A7F; Sun, 4 Jan 2015 20:48:56 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3F19B2240592; Mon, 5 Jan 2015 05:48:25 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GZWdrYvthrMN; Mon, 5 Jan 2015 05:48:23 +0100 (CET)
Received: from [] ( []) by (Postfix) with ESMTPSA id 8035B2240102; Mon, 5 Jan 2015 05:48:21 +0100 (CET)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alan DeKok <>
In-Reply-To: <>
Date: Sun, 04 Jan 2015 23:48:18 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Brian Weis <>
X-Mailer: Apple Mail (2.1878.6)
Cc: The IESG <>,,
Subject: Re: [secdir] Secdir review of draft-ietf-radext-dynamic-discovery-12
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Jan 2015 04:49:00 -0000

On Dec 24, 2014, at 4:05 PM, Brian Weis <> wrote:

  I’m not the document author, but I can help give some clarification.

> There’s not much background given, and having an overview of the solution architecture in the Introduction would be useful. I.e., a description and picture showing the actors and the communication flows between them.

  The current roaming behaviour is discussed in the NAI document, Section 3.  Unfortunately, it also assumes some familiarity with the field.

  Perhaps the simplest explanation is that RADIUS is client-server.  Clients request authentication on behalf of users, and servers authenticate the users.  The key thing is that historically, proxying has been static, and provisioning of proxy configuration has been entirely outside of the protocol.  i.e. proxies operate by consensus and habit, not by standard behaviour.

  A long description of the Eduroam consortium is available as an individual draft:

  However, *commercial* proxies do not operate in the eduroam model.  Commercial proxies are largely “star” configurations.  An interconnect company sits at the centre of a star.  It may connect to one or more other interconnect providers.  Routes are largely static, and are usually updated by hand, after legal contracts have been exchanged.

  This document is standardizing provisioning of RADIUS proxying, via dynamic methods.

>  I don’t have complete confidence that I correctly understood which actors are involved in the RASIUS/TLS transaction -- in some sections it seems that RADIUS clients are initiating requests and sometimes RADIUS servers and I thought only clients contacted servers. An overview of the actors would probably have clarified that.

  Clients are the only ones initiating requests.  In some cases, the system running RADIUS can behave as a client or as a server, depending on it’s needs.  That makes it more complicated.

> If I understand correctly how roaming consortiums currently work today, a RADIUS client within a consortium needing to make a AAA call to a RADIUS server in another realm does not contact the server directly.

  s/does not/may not/

> Instead, it routes the request through a hierarchy of RADIUS servers following roots of trust.

  That’s how eduroam works.  Commercial proxies are configured differently.

  However, they both operate on a “fire and forget” model.  A RADIUS server which wants to proxy a request somehow (magically, almost) determines which upstream server to use.  The “magic” part of that process is what the dynamic discovery document is trying to standardize.

> Section discusses the use of TLS cipher suites, and makes the point that certificate based cipher suites need to be used because there won’t be any pre-distributed secret key material available. That’s good advice. I think the section should also give advice on choosing trust roots. This is important because the identity of the server was gotten in an untrusted manner (from unsecured DNS), and the certificate it presents contains information used for  authorization of a server (i.e., SubjectAltName). If a RADIUS client were to accept a certificate signed by a wide range of trust roots (e.g, the set of roots used by browsers, where the trustability of many CAs in the hierarchy is unknown) then the RADIUS client would be  ill advised to trust authorization information claims in the hierarchy.

  Current RADIUS practice uses a limited set of CAs.  Generally, only one.  This use-case is *very* different than that for browsers.  This document should make that clearer.  Shipping a RADIUS server (or client) with a list of pre-configured CAs is a *very bad* idea.  RFC 6614 (RADIUS over TLS) should probably have had such statements.  RFC 7360 (RADIUS over DTLS) has some related text which would be useful here:

  Section 10.4: ...

   Therefore, clients SHOULD NOT be pre-configured with a list of known
   public CAs by the vendor or manufacturer.  Instead, the clients
   SHOULD start off with an empty CA list.  The addition of a CA SHOULD
   be done only when manually configured by an administrator.
   This scenario is the opposite of web browsers, where they are pre-
   configured with many known CAs.  The goal there is security from
   third-party observers, but also the ability to communicate with any
   unknown site that presents a signed certificate.  In contrast, the
   goal of RADIUS/DTLS is both security from third-party observers and
   the ability to communicate with only a small set of well-known

> On the other hand, if the trust roots were restricted to a set of highly trusted trust roots maintained by the consortium, then the authorization information in the certificate would be trustable. This should be explained.

  Generally there’s only one root CA for a consortium.  I’m not sure what the use-case would be for multiple root CAs.

  Alan DeKok.