[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ietf-radext-digest-auth06.txt Digest MD5-sess

To: radiusext@ops.ietf.org
Subject: draft-ietf-radext-digest-auth06.txt Digest MD5-sess
From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Thu, 29 Dec 2005 05:32:03 +0100 (CET)

Has there been any thought of allowing RADIUS to be used for session basedMD5-Sess authentication, where processing of further authentication withinthe same session is carried out by the radius client (i.e. HTTPserver/proxy) rather than the RADIUS server?

This is quite interesting in HTTP applications, where quite many requestscan be seen within the same session and at a relatively high rate. (i.e.thousands of requests/second, for a active end-user population of a fewthousands). Having the bulk of the authentication verifications carriedout in the RADIUS client (HTTP server/proxy) can significantly reduce theload on the RADIUS server and greatly improve the request latency(quality) of the service provided.

The principle behind this is that the MD5-sess hash A1 (Digest-HA1, aka'session key' in RFC2617) attribute is given to the client (HTTPserver/proxy) even if qop=auth (or perhaps even missing). This allows theHTTP server/proxy to internally process further requests in the samesession (same server side nonce), considerably reducing the load on theRADIUS server.

Today the wordings in draft-ietf-radext-digest-auth06.txt forbids thismode of operation, and one has to loop via qop=auth-int to fool the RADIUSserver into a mode allowing for this, even if . The following quite modestchanges is needed toallow for RADIUS to be used in such conditions:


1.3.  Overview
3.1.  RADIUS Client Behavior

here one may want to add a section describing this optional behavior ofthe client.



3.2.  RADIUS Server Behavior

Add the following condition

    o  If the Digest-Qop attribute's value is 'auth' and the
       Digest-Algorithm attribute's value is 'MD5-sess' the RADIUS
       server MAY add a Digest-HA1 attribute into the Access-Accept
       packet to allow the client to process further authentication
       requests within the same session.


4.19.  Digest-HA1 attribute

Here the qop related restriction on when this attribute may be sent needsto be dropped. Having restrictions here is also in large redundant withsection 3.2 I think.

For security reasons I would also add a recommendation to restrict theMD5-sess case (including qop=auth-int) to when the RADIUS server hasgenerated the Digest-Nonce. Sending MD5-sess Digest-HA1 in the mode wherethe RADIUS client has generated the nonce allows for session theft if theattacker can listen to the external traffic and also query the RADIUSserver, even if he can not see the traffic between the actual RADIUSclient used and the RADIUS server.


Regards
Henrik

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: draft-ietf-radext-digest-auth06.txt Digest MD5-sess
  - From: "Alan DeKok" <aland@ox.org>

Next by Date: Re: draft-ietf-radext-digest-auth06.txt Digest MD5-sess
Next by thread: Re: draft-ietf-radext-digest-auth06.txt Digest MD5-sess
Index(es):
- Date
- Thread