[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: Review of draft-ietf-radext-status-server

To: Ignacio Goyret <igoyret@alcatel-lucent.com>
Subject: Re: FW: Review of draft-ietf-radext-status-server
From: Alan DeKok <aland@deployingradius.com>
Date: Sat, 23 Jan 2010 01:22:14 +0100
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, radiusext@ops.ietf.org
In-reply-to: <201001222049.o0MKn5i9001910@cliff.eng.ascend.com>
References: <BLU137-DS1BAA8A1F41953BE577BD193620@phx.gbl> <4B5955E8.6050201@deployingradius.com> <201001221931.o0MJV49a032420@cliff.eng.ascend.com> <4B5A0C22.3050902@deployingradius.com> <201001222049.o0MKn5i9001910@cliff.eng.ascend.com>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

Ignacio Goyret wrote:
> A client has *no* reliable way to find out if an incoming
> Access-Accept is for an Access-Request it sent or from an
> Status-Server sent by an attacker (with a possibly problematic
> server).

  But this attack is possible in RADIUS without Status-Server.

  We can presume that the attacker possesses at least one "known good"
user password.  (i.e. via signing up for a temporary account).  Then
this attack can be performed at will: sniff an Access-Request, and
quickly replace it with a "fake" one containing the same Id && Request
authenticator, but with the "fake" CHAP-Password and CHAP-Challenge.

  The server will respond with Access-Accept, and authorize the other
session.

> See why this is a slippery slope?

  Oh, yes.  But the problem is mostly due to un-authenticated request
packets, and less so to the use of Access-Accept.

> IMHO, people should be advised to NOT use this method of
> checking the servers.

  Hmm... even though this attack is already possible in RADIUS?

  The only defense is to require that Access-Request (and Status-Server)
packets be signed.  RFC 5080 Section 2.2.2 makes this recommendation for
Access-Requests.  This document makes the same recommendation for
Status-Server.

  We can also presume that the RADIUS client && server will be
configured by people who communicate.  i.e. the "client" is also
partially the admin, who knows that the server supports signed
Status-Server, and therefore can safely enable it on the client.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: FW: Review of draft-ietf-radext-status-server
  - From: Ignacio Goyret <igoyret@alcatel-lucent.com>

References:
- FW: Review of draft-ietf-radext-status-server
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- Re: FW: Review of draft-ietf-radext-status-server
  - From: Alan DeKok <aland@deployingradius.com>
- Re: FW: Review of draft-ietf-radext-status-server
  - From: Ignacio Goyret <igoyret@alcatel-lucent.com>
- Re: FW: Review of draft-ietf-radext-status-server
  - From: Alan DeKok <aland@deployingradius.com>
- Re: FW: Review of draft-ietf-radext-status-server
  - From: Ignacio Goyret <igoyret@alcatel-lucent.com>

Prev by Date: Re: "Last Look" at the RADIUS Design Guidelines document
Next by Date: Re: FW: Review of draft-ietf-radext-status-server
Previous by thread: Re: FW: Review of draft-ietf-radext-status-server
Next by thread: Re: FW: Review of draft-ietf-radext-status-server
Index(es):
- Date
- Thread