[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto-agility requirements: Compromise of Legacy Shared Secret (from Issue 303)

To: Bernard Aboba <Bernard_Aboba@hotmail.com>
Subject: Re: Crypto-agility requirements: Compromise of Legacy Shared Secret (from Issue 303)
From: Alan DeKok <aland@deployingradius.com>
Date: Wed, 15 Jul 2009 11:17:57 +0200
Cc: 'Stefan Winter' <stefan.winter@restena.lu>, radiusext@ops.ietf.org
In-reply-to: <BLU137-DS5A02E8F2795186B42739793230@phx.gbl>
References: <BLU137-W29C6F71BD5DE61CCFD09FC93330@phx.gbl> <4A4890C7.6030608@deployingradius.com> <4A573B0C.2070303@restena.lu> <4A5C9577.8060707@deployingradius.com> <BLU137-DS5A02E8F2795186B42739793230@phx.gbl>
User-agent: Thunderbird 2.0.0.22 (Macintosh/20090605)

Bernard Aboba wrote:
> [BA] This makes sense to me.  But beyond that -- the upgrade scenario we had
> discussed involved upgrading the server first.  So assuming that the server
> supports the new crypto-agile functionality, and the RADIUS client has also
> been upgraded, why would the RADIUS client still need to send legacy RADIUS
> packets to the server? It seems like that would only happen if the RADIUS
> client were mis-configured,  or the implementation was broken, no?

  Yes.  While I can see some systems upgrading clients before servers,
this practice should be discouraged.

> That said, there still may be some operational annoyance associated with
> having "old" and "new" RADIUS client configurations on the server,
> effectively doubling the NAS configuration.  It would be nice to be able to
> tie the "old" and "new" clients together somehow, so as to be able to remove
> configuration info on "old" NASes that have long since been upgraded.  But
> this seems like more of an operational hassle than a requirement, I think. 

  Yes.  Most servers already have per-NAS configuration.  I would
suggest something like:


  1) define client by IP, secret (and server-specific stuff)
  2) add TLS data to above client definition (PSK, certs, etc.)
  3) delete IP && secret configuration from client definition

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Crypto-agility requirements: Compromise of Legacy Shared Secret (from Issue 303)
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: Crypto-agility requirements: Compromise of Legacy Shared Secret (from Issue 303)
  - From: Alan DeKok <aland@deployingradius.com>
- Re: Crypto-agility requirements: Compromise of Legacy Shared Secret (from Issue 303)
  - From: Stefan Winter <stefan.winter@restena.lu>
- Re: Crypto-agility requirements: Compromise of Legacy Shared Secret (from Issue 303)
  - From: Alan DeKok <aland@deployingradius.com>

Prev by Date: Re: Crypto-agility requirements: Compromise of Legacy Shared Secret (from Issue 303)
Next by Date: REMINDER: Ongoing Call for adoption of RADIUS over DTLS document as a RADEXT WG work item
Previous by thread: Re: Crypto-agility requirements: Compromise of Legacy Shared Secret (from Issue 303)
Next by thread: Crypto-agility requirements: Backward Compatibility (from Issue 303)
Index(es):
- Date
- Thread