[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISSUE with draft-ietf-radext-ieee802-00.txt

To: radiusext@ops.ietf.org
Subject: ISSUE with draft-ietf-radext-ieee802-00.txt
From: "Alan DeKok" <aland@ox.org>
Date: Mon, 11 Jul 2005 19:48:50 -0400
In-reply-to: Your message of "Sun, 10 Jul 2005 20:35:09 PDT." <Pine.LNX.4.56.0507102028370.1228@internaut.com>

Description of Issue: Clarification of Section 7 - Security considerations
Submitter name: Alan DeKok
Submitter email address: aland@ox.org
Date first submitted: July 11, 2005
Document: http://www.drizzle.com/~aboba/RADEXT/draft-ietf-radext-ieee802-00.txt
Comment type: Technical
Priority: S
Section: 7.3
Rationale: The last sentence of section 7 has strong new requirements on RADIUS

  The last sentence of section 7 is also the last section of the
document, and says:

      In addition, the same RADIUS shared secret MUST NOT used for both 
      IEEE 802.1X authentication and PAP authentication. 

  It's a little surprising to have a requirement with such a large
impact as the last sentence in the document, with no further
discussion.

  This requirement means that it may be impossible for implementations
to call themselves "unconditionally compliant".  Since RADIUS servers
cannot control the authentication methods used by a NAS, there is no
way for an implementation to know if a particular shared secret is
used for IEEE 802.1X or PAP authentication.

  When a RADIUS server is proxying requests from one or more NASes to
a home server, it may not have a choice about how many shared secrets
it uses.  In order to satisfy the MUST in section 7.3, the proxying
server MUST send send packets from two different IP addresses.  This
configuration may not be possible in many deployments.

  In addition, 802.1X devices may pass through EAP for user
authentication, but also implement device administrator authentication
via RADIUS.  Implementors should be guided as to how to implement
administrator authentication without breaking the security of user
authentication.


Requested change:

  1. Change the MUST to a SHOULD.

  2. Add the following suggested text:

	Implementors are strongly cautioned to treat the preceding SHOULD
	as a MUST.  Issues with the RADIUS protocol prevent the above
	requirement from being a MUST in all deployments.

	If the device supports administrator authentication via RADIUS,
	that authentication MUST NOT use PAP.  That is, a device
	such as an access point that implements IEEE 802.1X
	authentication MUST NOT send a User-Password attribute in any
	Access-Request packet.  Another authentication method MUST be
	used, though we do not suggest one here.

	RADIUS server implementations that proxy both PAP and IEEE
	802.1X authentication to another RADIUS server SHOULD use
	multiple source IP addresses for the proxied packets.  Where
	this configuration is used, the implementation MUST NOT
	use the same source IP address for both IEEE 802.1X
	authentication and for PAP authentication.  In those
	deployments, the same RADIUS shared secret MUST NOT used for
	both IEEE 802.1X authentication and PAP authentication.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RADEXT WG last call on draft-ietf-radext-ieee802-00.txt
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: Re: RFC 2486bis issue: "Decorated" NAIs and IDN support
Next by Date: RADEXT WG schedule for IETF-63
Previous by thread: RADEXT WG last call on draft-ietf-radext-ieee802-00.txt
Next by thread: RE: RADEXT WG last call on draft-ietf-radext-ieee802-00.txt
Index(es):
- Date
- Thread