[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thoughts on Requirements for RADIUS crypto-agility

To: "David B. Nelson" <d.b.nelson@comcast.net>
Subject: Re: Thoughts on Requirements for RADIUS crypto-agility
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Date: Wed, 28 Feb 2007 16:51:15 +0100
Cc: 'radext mailing list' <radiusext@ops.ietf.org>
In-reply-to: <001b01c756d8$64a83b60$6401a8c0@NEWTON603>
References: <001b01c756d8$64a83b60$6401a8c0@NEWTON603>
User-agent: Thunderbird 2.0b2 (Windows/20070116)

Hi David,

here are my thoughts. Let me start with a differentiation between

a) authentication and key exchange (including the negotiation ofalgorithms)

b) protection of the messages.

As you mention one could use IPsec (together with IKE/IKEv2) to make theentire discussion irrelevant.

Assuming that IPsec is not used one obviously needs to consider (a) and(b) to offer a complete solution.

So, here are useful options:

1) DTLS
Provides (a) and (b) in one proposal.
2) IKEv1 + DoI for RADIUS packet protection security
Uses IKEv1 for (a) and per-packet protection for (b)

3) DTLS + sort-of-DoI for RADIUS packet protection security (as usedwith DTLS based media security proposal)

Uses DTLS handshake for (a) and per-packet protection for (b)

Do I entirely miss something here?

Ciao
Hannes

I would deprecate the per-packet David B. Nelson wrote:

As noted in the previous message, the first stage in the development ofa RADIUS crypto-agility solution is to formulate a requirements statement.
A straw-man set of requirements is included below:

OVERALL APPROACH
1. RADIUS crypto-agility solutions are not restricted to utilizingtechnology described in existing RFCs. Since RADIUS over IPsec isalready described in RFC 3162 and 3579, this technique is alreadyavailable to those who wish to use it. Therefore it is expected thatproposals will utilize other techniques.
SECURITY SERVICES
2. Proposals MUST support the negotiation of cryptographicalgorithms for per-packet integrity/authenticationprotection. Support for confidentiality of entire RADIUSpackets is OPTIONAL. However, proposals MUST support the negotiation ofalgorithms for encryption (sometimes referred to as "hiding") of RADIUSattributes. If possible, it is desirable for proposals to provide for theencryption of existing attributes. This includes existing "hidden"attributes as well as attributes (such as location attributes) thatrequire confidentiality.3. Proposals MUST support replay protection. It has been noted thatexisting mechanisms for replay protection of Accounting-Request/Response,CoA-Request/Response and Disconnect-Request/Response messages areinadequate.
4. Crypto-agility solutions need to specify mandatory-to-implement
algorithms for each mechanism.

BACKWARD COMPATIBILITY
5. Solutions to the problem need to demonstrate backward compatibilitywith existing RADIUS implementations. That is, a crypto-agilitysolution needs to be able to send packets that a legacy RADIUSclient or server will receive and process successfully. Similarly, acrypto-agility solution needs to be capable of receiving and processingpackets from a legacy RADIUS client or server.6. Crypto-agility solutions need to avoid security compromise, evenin situations where the existing cryptographic algorithms utilized byRADIUS implementations are shown to be weak enough to provide little or nosecurity (e.g. in event of compromise of the RADIUS shared secret).Included in this would be protection against bidding down attacks.INTEROPERABILITY AND CHANGE CONTROL
7. Proposals need to indicate a willingness to cede change control to theIETF.8. Crypto-agility solutions need to be interoperable between independentimplementations based purely on the information provided in thespecification.SCOPE OF WORK
9. Crypto-agility solutions need to apply to all RADIUS packet types,including Access-Request, Challenge, Reject & Accept,Accounting-Request/Response, and CoA/Disconnect messages.10. Proposals MUST include a Diameter compatibility section.11. Crypto-agility solutions should not require fundamental changes to theRADIUS operational model, such as the introduction of new commands ormaintenance of state on the RADIUS server. Similarly, the addition ofnew capabilities to the RADIUS protocol is out of scope; a proposal shouldfocus on the crypto-agility problem and nothing else. For example,proposals should not require new attribute formats or includedefinition of new RADIUS services. Unless modified, the restrictionsin the RADEXT WG charter apply.
Note that for the purposes of this work, the RADEXT WG charter restriction
against definition of "new security mechanisms" should be interpreted as
prohibiting changes to the basic RADIUS packet format (e.g. headers), but
permits new crypto-algorithms to be substituted for use in existingsecurity mechanisms.
Regards,

Bernard Aboba
Dave Nelson

RADEXT Co-Chairs




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Thoughts on Requirements for RADIUS crypto-agility
  - From: "David B. Nelson" <d.b.nelson@comcast.net>

Prev by Date: Re: Some important IETF-68 deadlines and request for agenda items
Next by Date: Proposed RADEXT WG Agenda for IETF 68 (Take 1)
Previous by thread: RADIUS crypto-agility straw-man proposal
Next by thread: RADEXT session at IETF-68
Index(es):
- Date
- Thread