[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HOKEY] comments on draft-gaonkar-radext-erp-attrs-00

To: "Glen Zorn (gwz)" <gwz@cisco.com>
Subject: Re: [HOKEY] comments on draft-gaonkar-radext-erp-attrs-00
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
Date: Sun, 15 Jul 2007 22:26:47 -0400
Cc: kgaonkar3@gatech.edu, Lakshminath Dondeti <ldondeti@qualcomm.com>, radiusext@ops.ietf.org, hokey@ietf.org
In-reply-to: <4C0FAAC489C8B74F96BEAD85EAEB262504504984@xmb-sjc-215.amer.cisco.com>
References: <4C0FAAC489C8B74F96BEAD85EAEB262504504984@xmb-sjc-215.amer.cisco.com>
User-agent: Mutt/1.5.13 (2006-08-11)

I agree with Glen's analysis (except that the entity that requests a
DSRK from home domain server is a visited domain server, not a NAS in
my reading of the draft).  Security property of a key management
mechanism that relies on a particular AAA protocol deployment can
easily be lost when the AAA protocol is deployed in a wrong way (e.g.,
placing a AAA proxy that can read the key on the key distribution
path).  The problem with such an approach is there is no
protocol-level mechanism to prevent mis-deployment of AAA protocol.  
I don't think such a mechanism should survive in the long run.

A securer and cleaner way to avoid dependency on AAA protocol
deployment is to use a 3-party key distribution protocol that does not
rely on underlying transport security.  HOKEY WG is already taking
that approach: draft-ietf-hokey-key-mgm-00.txt.

Regards,
Yoshihiro Ohba



On Sun, Jul 15, 2007 at 03:05:20PM -0700, Glen Zorn (gwz) wrote:
> I would like to note that there is pre-existing work in this area
> (http://www.ietf.org/internet-drafts/draft-zorn-radius-keyreq-07.txt,
> http://www.ietf.org/internet-drafts/draft-zorn-radius-keywrap-13.txt).
> Be that as it may, however, it's difficult to understand what the
> purpose of the Requesting Entity's Identity in the express environment
> that is implied by the draft (i.e., a request from a visited network to
> a home network).  If, as I assume (please correct me if my assumption is
> incorrect), the requesting entity is a NAS it doesn't seem reasonable to
> believe that the RADIUS server in a remote network would have any
> knowledge of it, even less so in the case where the visited and home
> networks are separated by one or more proxies & thus lack any direct
> trust relationship.  If this identity is meant to be used for key
> binding purposes, I think that this is incredibly dangerous, imputing
> trust as it does between the home RADIUS server and an entity of which
> it possesses no knowledge.  OTOH, suppose that there _is_ a direct trust
> relationship between the home & visited network, intervening proxies
> notwithstanding (perhaps by means of an OOB WRT RADIUS key exchange);
> further, suppose that this trust is so strong that the home RADIUS
> server is willing to take the visited domain at its word as to the
> identity of the requesting NAS.  In this case, the security of the
> protocol is defeated by the use of IPsec on a hop-by-hop basis since the
> message and key are available in plaintext form at each (less trusted)
> hop.

> _______________________________________________
> HOKEY mailing list
> HOKEY@ietf.org
> https://www1.ietf.org/mailman/listinfo/hokey


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: [HOKEY] comments on draft-gaonkar-radext-erp-attrs-00
  - From: "Glen Zorn \(gwz\)" <gwz@cisco.com>

References:
- comments on draft-gaonkar-radext-erp-attrs-00
  - From: "Glen Zorn \(gwz\)" <gwz@cisco.com>

Prev by Date: comments on draft-gaonkar-radext-erp-attrs-00
Next by Date: RE: [HOKEY] comments on draft-gaonkar-radext-erp-attrs-00
Previous by thread: comments on draft-gaonkar-radext-erp-attrs-00
Next by thread: RE: [HOKEY] comments on draft-gaonkar-radext-erp-attrs-00
Index(es):
- Date
- Thread