[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 282: backward compatibility, proposed text



Alan DeKok schrieb:
> Bernard Aboba wrote:
>   
>> Question:  At various points we have talked about separating out the
>> material on DNS SRV-based discovery.  How does this recommendation
>> relate to that?  For example, assuming that DNS SRV RR queries aren't
>> protected by DNSSEC, couldn't the discovery process generate a "fallback
>> to classic RADIUS"?
>>     
>
>   Yes.
>   

*If* classic RADIUS were to be specified with DNS SRV discovery, yes.
AFAIK, there are no plans to do that - only TLS and DTLS. It would be
rather tricky to do so, because the shared secret would need to be
discovered, and the DNS channel offers no adequate protection for such a
keying material exchange, AFAICT.

>> (e.g. if only the FQDN of the server is provided and
>> DNS SRV RR queries are used to determine whether RADSEC and/or RADIUS
>> was supported).   For example, couldn't an attacker spoof a response to
>> the DNS SRV RR query and convince the querier that only RADIUS was
>> available? 
>>     
>
>   Systems should be implemented so that administrators can require
> RADSEC for particular home servers.  This turns the down-bidding attack
> into a DoS attack, as the proxy will refuse to connect over plain RADIUS.
>   

That sounds good. Configuration details are not a part of the on-wire
protocol though, so: does it make sense to recommend this in the draft?
This sounds like an issue to mention in the dynamic discovery draft
itself (see below).

>> And overall, I'm curious about where the text relating to DNS discovery
>> is going/belongs.  In the draft?  Outside of it in a separate document? 
>> None of these?
>>     
>
>   In a separate draft.  DTLS and normal RADIUS could be using dynamic
> discovery, too.
>   


I have a stub of a draft on my disk, which is basically copy&paste from
the contents of the earlier radsec-02 revision. The issues discussed in
this thread (+i18n) should/will end up there.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>