[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Thoughts on Requirements for RADIUS crypto-agility
Hi David,
here are my thoughts. Let me start with a differentiation between
a) authentication and key exchange (including the negotiation of
algorithms)
b) protection of the messages.
As you mention one could use IPsec (together with IKE/IKEv2) to make the
entire discussion irrelevant.
Assuming that IPsec is not used one obviously needs to consider (a) and
(b) to offer a complete solution.
So, here are useful options:
1) DTLS
Provides (a) and (b) in one proposal.
2) IKEv1 + DoI for RADIUS packet protection security
Uses IKEv1 for (a) and per-packet protection for (b)
3) DTLS + sort-of-DoI for RADIUS packet protection security (as used
with DTLS based media security proposal)
Uses DTLS handshake for (a) and per-packet protection for (b)
Do I entirely miss something here?
Ciao
Hannes
I would deprecate the per-packet David B. Nelson wrote:
As noted in the previous message, the first stage in the development of
a RADIUS crypto-agility solution is to formulate a requirements statement.
A straw-man set of requirements is included below:
OVERALL APPROACH
1. RADIUS crypto-agility solutions are not restricted to utilizing
technology described in existing RFCs. Since RADIUS over IPsec is
already described in RFC 3162 and 3579, this technique is already
available to those who wish to use it. Therefore it is expected that
proposals will utilize other techniques.
SECURITY SERVICES
2. Proposals MUST support the negotiation of cryptographic
algorithms for per-packet integrity/authentication
protection. Support for confidentiality of entire RADIUS
packets is OPTIONAL. However, proposals MUST support the negotiation of
algorithms for encryption (sometimes referred to as "hiding") of RADIUS
attributes. If possible, it is desirable for proposals to provide for the
encryption of existing attributes. This includes existing "hidden"
attributes as well as attributes (such as location attributes) that
require confidentiality.
3. Proposals MUST support replay protection. It has been noted that
existing mechanisms for replay protection of Accounting-Request/Response,
CoA-Request/Response and Disconnect-Request/Response messages are
inadequate.
4. Crypto-agility solutions need to specify mandatory-to-implement
algorithms for each mechanism.
BACKWARD COMPATIBILITY
5. Solutions to the problem need to demonstrate backward compatibility
with existing RADIUS implementations. That is, a crypto-agility
solution needs to be able to send packets that a legacy RADIUS
client or server will receive and process successfully. Similarly, a
crypto-agility solution needs to be capable of receiving and processing
packets from a legacy RADIUS client or server.
6. Crypto-agility solutions need to avoid security compromise, even
in situations where the existing cryptographic algorithms utilized by
RADIUS implementations are shown to be weak enough to provide little or no
security (e.g. in event of compromise of the RADIUS shared secret).
Included in this would be protection against bidding down attacks.
INTEROPERABILITY AND CHANGE CONTROL
7. Proposals need to indicate a willingness to cede change control to the
IETF.
8. Crypto-agility solutions need to be interoperable between independent
implementations based purely on the information provided in the
specification.
SCOPE OF WORK
9. Crypto-agility solutions need to apply to all RADIUS packet types,
including Access-Request, Challenge, Reject & Accept,
Accounting-Request/Response, and CoA/Disconnect messages.
10. Proposals MUST include a Diameter compatibility section.
11. Crypto-agility solutions should not require fundamental changes to the
RADIUS operational model, such as the introduction of new commands or
maintenance of state on the RADIUS server. Similarly, the addition of
new capabilities to the RADIUS protocol is out of scope; a proposal should
focus on the crypto-agility problem and nothing else. For example,
proposals should not require new attribute formats or include
definition of new RADIUS services. Unless modified, the restrictions
in the RADEXT WG charter apply.
Note that for the purposes of this work, the RADEXT WG charter restriction
against definition of "new security mechanisms" should be interpreted as
prohibiting changes to the basic RADIUS packet format (e.g. headers), but
permits new crypto-algorithms to be substituted for use in existing
security mechanisms.
Regards,
Bernard Aboba
Dave Nelson
RADEXT Co-Chairs
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>