[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FW: DISCUSS: draft-ietf-radext-rfc3576bis

To: dromasca@avaya.com, radiusext@ops.ietf.org
Subject: RE: FW: DISCUSS: draft-ietf-radext-rfc3576bis
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Thu, 18 Oct 2007 09:10:41 -0700
Bcc:
In-reply-to: <EDC652A26FB23C4EB6384A4584434A04525BB4@307622ANEX5.global.avaya.com>

Discuss:
The RFC 2401 IPsec model does not actually support the concept of a
security policy entry that is "accept protected traffic but don't
require it."  Some of the suggested policies in the security
considerations section seem to rely on this.

In large "mixed" deployment, it can be cumbersome to configure IPsec filtersfor every NAS.

Since we have no mechanism for an application to find out if traffic isprotected

That is only necessary if the RADIUS shared secret isn't configured whenRADIUS/IPsec is used. Otherwise, the server just checks the incomingpackets using existing RADIUS security -- it doesn't care if the packet wasprotected by IPsec or not.

In any case, some shipping products do support "traffic protection"awareness.

I don't think that you can actually have a secure setup if you sometimesuse IPsec
with a given source and sometimes do not.

If all NASes are known to support IPsec, then the server can configure aglobal filter that says "only accept IPsec from these addresses." However,during a transition period the server may be willing to accept eitherconventional RADIUS from some NASes or RADIUS over IPsec. In that case,all the server has to do is carry out existing RADIUS security checks.

You don't seem to say what IKE authentication modes need to be
supported. You may get a long way by referring to RFC 4945.


This is covered in RFC 3579, so we could reference that.

I'm confused by section 6.2.  Does the attack described there actually
happen if the first-hop proxy uses a different secret for each DAS/NAS
and confirms that the right secret is used?  I.E. confirms that the NAS
identity matches the expected NAS identity for the secret?

The attack can still happen if different shared secrets are used if thefirst hop proxy doesn't check the source address against the NAS-Identifier.For example, the NAS could claim to be another NAS in the NAS-Identifier,but use the correct (and different) RADIUS shared secret. When the proxyforwards the packet, it has now been "laundered" -- the server can'tdetermine whether it came from a "lying NAS" or not.




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- FW: DISCUSS: draft-ietf-radext-rfc3576bis
  - From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>

Prev by Date: Re: FW: DISCUSS and COMMENT: draft-ietf-radext-rfc3576bis
Next by Date: RE: Guidelines suggested text for checklist:
Previous by thread: FW: DISCUSS: draft-ietf-radext-rfc3576bis
Index(es):
- Date
- Thread