[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Proposed resolution to Issue 181: Review



The text of Issue 181 is enclosed below. The proposed resolution is as follows:

Add expansions of VLAN, RADIUS, NAS, etc.  Substitute RFC 4363 for RFC 2674.

Replace the terminology section with definitions taken from RFC 3748 and RFC 4005:

Authenticator
The end of the link initiating EAP authentication. The term
authenticator is used in [RFC3748] and [IEEE-802.1X], and has the same meaning
in this document.

backend authentication server
A backend authentication server is an entity that provides an
authentication service to an authenticator. When used, this
server typically executes EAP methods for the authenticator. This
terminology is also used in [IEEE-802.1X].

Network Access Server (NAS)
A device that provides an access
service for a user to a network.

Supplicant
The end of the link that responds to the authenticator in [IEEE-802.1X].

Rewrite the security considerations section as follows:

"This specification describes the use of RADIUS for purposes of
authentication, authorization and accounting in
networks supporting [IEEE 802.1X]. Threats and security
issues for this application are described in [RFC3579] and [RFC3580];
security issues encountered in roaming are described in
[RFC2607].

This document specifies new attributes that can be included in
existing RADIUS packets, which are protected as
described in [RFC3579] and [RFC3576].  See those documents for a
more detailed description.

The security mechanisms described in [RFC3579] and [RFC3576] are
focused on preventing an attacker from spoofing packets or modifying
packets in transit.  They do not prevent an authorized RADIUS
server or proxy from inserting attributes with malicious intent.

VLAN attributes sent by a RADIUS server or proxy may enable
access to unauthorized VLANs. These vulnerabilities can
be limited by performing authorization checks at the NAS.
For example, a NAS can be configured to accept only certain
VLANIDs from a given RADIUS server/proxy.

Similarly, an attacker gaining control of a RADIUS server or proxy
can modify the user priority table,
causing either degradation of quality of service (by downgrading user
priority of packets arriving at a port), or denial of service (by
raising the level of
priority of traffic at multiple ports of a device, oversubscribing the
switch or link capabilities)."

---------------------------------------------------------------------------------------
Issue 181: Review
Submitter name: Dan Romascanu
Submitter email address: dromasca@avaya.com
Date first submitted: March 16, 2006
Reference: http://ops.ietf.org/lists/radiusext/2006/msg00311.html
Document: VLAN/Priority -00
Comment type: 'T'echnical
Priority: S
Section: Various
Rationale/Explanation of issue:

I believe that the document is in pretty good shape, I still have a few
comments which I believe are worth being considered.

Content:

1. [RFC2674] is now obsoleted by [RFC4363]. I suggest to modify this
reference.
2. The supplicant definition in 1.1 says:

         A supplicant is an entity that is being authenticated by an
         authenticator.  The supplicant may be connected to the
         authenticator at one end of a point-to-point LAN segment or
         802.11 wireless link.

It is not clear why 'point-to-point' is mentioned here seemingly as
opposed to wireless. I believe that the point that is being made is
about connecting to a point-to-point or shared LAN segment. I suggest to
replace this by:

         A supplicant is an entity that is being authenticated by an
         authenticator.  The supplicant may be connected to the
         authenticator at one end of a point-to-point or shared LAN
         segment

3. I believe that there is at least one other example of security attack
by insertion of attributes with a malicious content that is worth being
mentioned. This is the case when the user priority table is modified
causing either degradation of quality of service by downgrading user
priority of packets arriving at a port, or denial of service by
oversubscribing the switch or link capabilities by raising the level of
priority of traffic at multiple ports of a device.

Editorial:

1. It is recommended that abstract sections expand acronyms with the
exception of the obvious (IP, TCP, etc...). I would say that VLAN and
RADIUS are not in the obvious category.
2. NAS shows up first in section 1.3 and is not expanded.
3. The first phrase in Section 5 seems broken, I read it as the document
being vulnerable, which is not the intent, I believe.
[David Nelson]
That is a good point.  I think that further clarification would be
desirable, however.  My recollection of IEEE 802.1X is that it applies
to ports, which may be point-to-point LAN links, or virtual ports on
shared media defined by a protected association.

So perhaps we could extend the suggested text, as follows:

          A supplicant is an entity that is being authenticated by an
          authenticator.  The supplicant may be connected to the
          authenticator at one end of a point-to-point LAN link or via
          a protected association over a shared LAN segment.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>