[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02

Internet Engineering Task Force                          K. Hoeper, Ed.
Internet Draft                                                     NIST
Intended status: Informational                                S. Winter
Expires: May 3, 2009                                            RESTENA
                                                       November 3, 2008




              Threat Model for Networks Employing AAA Proxies
                      draft-hoeper-proxythreat-01.txt


Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on May 3, 2007.

Copyright Notice

   Copyright (C) The IETF Trust (2008).

Abstract

   This memo defines a threat model for access networks with AAA
   proxies. Use cases of current and future applications in which AAA
   proxies are employed are described and it is discussed how proxies
   could launch attacks in the defined use cases. The risk associated
   with these attacks in each use case is analyzed. As a result, this
   draft can serve as a guideline for risk assessments by providers,
   implementers and protocol designers of systems with proxies.


Hoeper & Winter          Expires May 3, 2009                   [Page 1]


Internet-Draft           AAA Proxy Threat Model           November 2008


Table of Contents


   1. Introduction...................................................2
      1.1. Goals of this Document....................................3
      1.2. Scope.....................................................4
      1.3. Terminology...............................................4
   2. Problem Statement..............................................5
   3. Related Work...................................................6
   4. Use Cases......................................................6
      4.1. Enterprise Network Management.............................6
      4.2. Free International Roaming................................7
      4.3. Billable International Roaming............................9
   5. Threat Model...................................................9
      5.1. Network Entities and their Trust Relationships............9
      5.2. Potential Attacks........................................10
   6. Risk Analysis.................................................12
      6.1. Feasibility..............................................13
      6.2. Severity.................................................14
   7. Security Considerations.......................................14
   8. IANA Considerations...........................................14
   9. Conclusions...................................................14
   10. Acknowledgments..............................................15
   11. References...................................................15
      11.1. Normative References....................................15
      11.2. Informative References..................................15
   Authors' Addresses...............................................16
   Intellectual Property Statement..................................16
   Disclaimer of Validity...........................................17

1. Introduction

   Currently, AAA proxies are implemented in many access networks
   serving a variety of purposes. For example, proxies provide a
   scalable solution for access management in large networks.
   Furthermore, proxies can enable roaming because mobile nodes (MN) can
   access other networks by authenticating to their home server through
   local proxies. Some of these tasks require proxies to possess AAA
   keying material.

   The introduction of proxies can change the security model of a
   network as well as of the implemented protocols. As a consequence,
   AAA proxies may introduce new security vulnerabilities. However,
   currently the role of AAA proxies in networks and all their security
   implications are not considered in many existing RFCs and Internet
   drafts. The relationship with RFC 4962 [1] is the most glaring aspect
   of the problem, but the progress of numerous drafts in a number of


Hoeper & Winter          Expires May 3, 2009                   [Page 2]


Internet-Draft           AAA Proxy Threat Model           November 2008


   working groups is affected by the so-called "proxy problem".
   Recently, there have been attempts to reconcile the widespread
   deployment of AAA proxies with the security requirements of
   individual Internet protocols or protocol extensions.

   While the re-occurrence of the proxy problem in several WGs may be
   bothersome and slow down progress, the problems are more severe for
   providers and users of already existing implementations with proxies.
   Doubts exist whether current security claims stated in RFCs and
   Internet Drafts are still valid for implementations with proxies.
   Hence, providers of networks with proxies that rely on such security
   claims may have unknowingly introduced new vulnerabilities to their
   systems that have not been covered in the respective protocol
   specifications. For the same reasons, users of such systems may be
   unknowingly exposed to attacks.

   Concluding, the proxy problem may affect existing and future
   implementations of Internet protocols whose specifications neglected
   proxies in their security considerations. If security issues
   introduced by proxies are not identified and addressed, future
   protocol specifications will suffer from the same problems.

1.1. Goals of this Document

   Since the "proxy problem" challenges the credibility of existing RFCs
   and slows down the progress of many IETF WGs, it seems necessary to
   evaluate this problem in detail and make the results available to all
   current and future IETF WGs and other standard bodies.

   This document shows how AAA proxies may change the security models of
   networks and their employed protocols in several use cases. Even more
   importantly, the document analyses the feasibility as well as
   severity of the identified threats.

   As a result, this draft can be used as a tool for risk assessment of
   a network with AAA proxies or protocols implemented in such networks.
   This draft shows which attacks by proxies are feasible in particular
   use cases under certain conditions. It is up to the
   provider/implementer/protocol designer to decide whether the
   identified threats justify the costs that would be introduced by
   countermeasures such as infrastructure and/or protocol modifications

   Current and future drafts that are subject to the "proxy problem"
   could reference this document to point out possible vulnerabilities
   and risks.




Hoeper & Winter          Expires May 3, 2009                   [Page 3]


Internet-Draft           AAA Proxy Threat Model           November 2008


   Technical solutions addressing the identified vulnerabilities are not
   presented in this draft. However, authors of affected protocol
   specifications are encouraged to use the presented threat model to
   design a case-based security solution or at least highlight proxy-
   related security vulnerabilities. The threat model presented in this
   draft could also serve as basis for designing more general solutions
   in a separate draft.

1.2. Scope

   This document focuses on security issues related to AAA proxies and
   the discussions and results in this memo should not be applied to
   other types of proxies. However, it is encouraged to work on similar
   documents for other kind of proxies.

   This document solely identifies security-related issues introduced by
   AAA proxies and their severity but neither provides solutions to
   address these problems nor discusses non-security related issues
   (such as routing, performance, etc.). Furthermore, this document does
   not consider AAA proxies that are configured to solely serve as a re-
   direct (as supported by Diameter), because such proxies do not need
   to gain access to attributes and/or keying material.

1.3. Terminology

   This section defines terms that are frequently used in this document.

   AAA
      Authentication, Authorization, and Accounting (AAA). AAA protocols
      include RADIUS [2] and Diameter [3].

   AAA Server
      A server which provides AAA services via an implemented AAA
      protocol to mobile nodes.

   AAA Client
      A network entity sending AAA requests to the AAA server and
      receiving AAA replies from the AAA server. NAS and AAA proxy can
      both act as AAA client.

   AAA Proxy
      An AAA proxy provides routing for AAA requests and replies. An
      AAA proxy appears to act as an AAA client to the AAA server and
      as AAA server to the AAA client. In this draft, pure re-direct
      proxies as supported by Diameter are not considered. Only AAA
      proxies that are capable of modifying attributes and may possess
      cryptographic keying material are considered.


Hoeper & Winter          Expires May 3, 2009                   [Page 4]


Internet-Draft           AAA Proxy Threat Model           November 2008


   MN
      A mobile node (MN) that wishes to access the network.

   NAS
      The Network Access Server (NAS) is the network entity that mobile
      nodes contact in order to obtain access to the network.

   Proxy Chain
     A routing path through a sequence of AAA proxies. In roaming
     scenarios, when a proxy chain is across different administrative
     domains, roaming agreements exist between the first and last proxy
     of the chain as well as between each neighboring pair of proxies.

   Roaming agreement
     Roaming agreements include agreements between companies and
     Internet Service Providers (ISPs), agreements among peer ISPs
     within a roaming association, and relationships between an ISP and
     a roaming consortium. These agreements require a certain level of
     trust among all parties of a roaming agreement.
     In the context of this draft, roaming agreements between two
     administrative domains imply that AAA proxies in these domains may
     share pairwise AAA keys with each other or may be capable of
     establishing such pairwise keys.

2. Problem Statement

   Unlike some other network entities that simply forward packets in the
   network, AAA proxies are designed to have additional capabilities and
   properties such that the AAA protocols executed through AAA proxies
   may have the following features:

   o  AAA proxies are able to modify and/or delete AAA attributes

   o  AAA proxies share pairwise AAA keys with the AAA server and/or
      other AAA proxies;

   o  AAA proxies and NAS cannot be distinguished by AAA server;

   o  AAA proxies and AAA server cannot be distinguished by NAS;

   o  AAA proxy chains cannot be distinguished from single proxies by
      neither NAS nor AAA server.

   The above special features may lead to new security vulnerabilities.
   For example, a proxy could modify or delete some attributes of an AAA
   request/reply. Or a proxy in possession of AAA keying material can
   break the end-to-end integrity and/or confidentiality between NAS and


Hoeper & Winter          Expires May 3, 2009                   [Page 5]


Internet-Draft           AAA Proxy Threat Model           November 2008


   AAA server that is assumed in some protocols. The last three bullets
   show that the other communicating entities might not even be aware of
   the proxies on the communication path. In the case of a single proxy
   or a chain of proxies [4] between NAS and AAA server, not every party
   authenticates to all parties it communicates with as required in RFC
   4962[1]. The sum of these and other security issues imposed by AAA
   proxies is referred to as "proxy problem" in this document.

3. Related Work

   [Editor's note: what other references should be mentioned here?]

   The "Security Consideration" Section of RFC 2607 [4] outlines
   security threats introduced by proxies in roaming scenarios using
   RADIUS. These observations and other threats will be further analyzed
   in this draft in a more general context. For instance, threats
   introduced by AAA proxies are analyzed in several use cases. In
   addition, this draft allows an application-based risk analysis.

4. Use Cases

   [Editor's note: Any more use cases?]

   For easier identification of vulnerabilities as well as analysis of
   feasibility and severity of attacks, a representative set of use
   cases for AAA proxies in networks are supplied here.

4.1. Enterprise Network Management

   In enterprise networks or other local networks with a single
   administrative domain, AAA proxies are used to enable easy and
   scalable network access in large networks. Here-instead of having a
   direct connection between each NAS and the authentication server-
   groups of NAS' can be connected to proxies in proximity. The proxies
   are then attached to the authentication server, resulting in a
   scalable network infrastructure. This is illustrated in Figure 1 for
   a network with two AAA proxies, where proxy 1 serves NAS 1 to NAS i
   and proxy 2 serves NAS j to NAS n. Hierarchical proxy routing can
   further simplify key management, as has been pointed out in RFC 2607.
   Note that this would lead to proxy chaining.

   Other reasons why proxies may be used in enterprise networks are that
   the administrator wants to assign different sets of offered services
   and policies for different groups of NAS'. In that case a proxy
   adjusts the AAA request from a certain NAS to the specified policy
   for this NAS, and/or adjusts the AAA reply to the capabilities of the
   NAS.  This requires the proxy to modify or delete AAA attributes. For


Hoeper & Winter          Expires May 3, 2009                   [Page 6]


Internet-Draft           AAA Proxy Threat Model           November 2008


   example, a NAS talking to proxy 1 only supports weak authentications
   (e.g. to constrained devices) but in return only limited services are
   made available to MNs connecting through this NAS. On the other hand,
   requests routed through proxy 2 may demand stronger authentication
   but provide a larger variety of services and information.

                              +------+
                              | AAA  |
                              +------+
                               /    \
                              /      \
                             /        \
                            /          \
                       +------+     +------+
                       |proxy1|     |proxy2|
                       +------+     +------+
                        /  \          /  \
                       /    \        /    \
                      /      \      /      \
                   +----+  +----+ +----+  +----+
                   |NAS1|..|NASi| |NASj|..|NASn|
                   +----+  +----+ +----+  +----+

               Figure 1 Enterprise network with two proxies.

4.2. Free International Roaming

   AAA proxies are also used to enable roaming across administrative
   domains with roaming agreements. Note that roaming agreements may
   imply that proxies from one domain share AAA keys with proxies from
   the other domain or may be capable of establishing such shared keys.
   A proxy in domain 1 (lets say the home domain of a MN) can serve as
   entry point for roaming requests from a domain 2 (lets say a visited
   domain). Even though the roaming is free in this use case (and thus
   billing unnecessary), it can be very important in such applications
   that policies of both domains are observed (e.g. the minimum age of
   users or minimum security level of provided services). To ensure
   this, the home proxy may need to adjust incoming AAA requests and
   outgoing AAA replies according to the capabilities and policies of
   visited and home networks, respectively, as well as the roaming
   agreements between them.

   Note that the path for AAA communications between the visited domain
   and the home domain may consist of several proxies, i.e. a proxy
   chain. Here, the roaming agreements between domain 1 and domain 2
   specify the relationship between proxies in domain 1 (say the first
   proxy in the chain) and proxies in domain 2(say the last proxy in the


Hoeper & Winter          Expires May 3, 2009                   [Page 7]


Internet-Draft           AAA Proxy Threat Model           November 2008


   chain). However, successful AAA functionality may require roaming
   agreements between each neighboring pair of proxies in the proxy
   chain (e.g. to share pairwise keys). For this reason, either the
   existing roaming agreement between domain 1 and domain 2 needs to
   extend to the intermediated proxies or additional agreements are
   needed. The described roaming scenario is illustrated in Figure 2.

        - - - - - - - -                - - - - - - -
         +-------+   Roaming agreements   +-------+
      |  | Local |  <==================>  |  Home | |
         |  AAA  |     |              |   |  AAA  |
      |  +-------+                        +-------+ |
             |         |              |       ^
      |      |                                |     |
             |         |              |       |
      |  +-------+      [*proxy chain]    +-------+ |
         | Local | --------  ...    ----->|  Home |
      |  | Proxy |     |              |   | Proxy | |
         +-------+                        +-------+
      |      ^         |              |             |
             |
      |      |         |              |             |
         +-------+
      |  | Local |     |              |             |
         |  NAS  |
      |  +-------+     |              |             |
             ^
      |      |         |              |             |
             |
      |  +------+      |              |             |
         |  MN  |
      |  +------+      |              |             |

      | Visited Domain |             _|Home Domain  |
       - - - - - - - -                 - - - - - - -

      *optional
             Figure 2 International Roaming Utilizing Proxies


   An example of an existing network enabling international roaming free
   of charge is eduroam [5]. Eduroam is a world-wide WLAN roaming
   network for users in education and research. The network consists of
   a hierarchy of RADIUS servers interconnecting participating sites.
   The hierarchy consists of a root level proxy, used for international
   roaming between different top-level domains, country-level proxy
   servers for roaming between institutions in the same top level


Hoeper & Winter          Expires May 3, 2009                   [Page 8]


Internet-Draft           AAA Proxy Threat Model           November 2008


   domain, and institutional servers to perform the actual
   authentication (these servers may optionally further proxy requests
   to departments within their own institution at their discretion).
   Most RADIUS servers are duplicated for resiliency purposes. This
   architecture leads to a proxy path with at least five RADIUS servers
   in a chain when roaming internationally.

4.3. Billable International Roaming

   In many roaming scenarios, the MN will be billed for the used roaming
   services according to the roaming agreements between the MN's home
   network and the visited network. The network architecture with
   proxies is the same as in the previous use case (see Figure 2),
   however additional billing information needs to be exchanged. Please
   note that authentication and accounting data may not take the same
   routing path [4]. As a consequence this document distinguishes
   between authentication proxy and accounting proxy for this use case.

5. Threat Model

   To be able to analyze security vulnerabilities introduced by AAA
   proxies and their risks, a threat model needs to be established
   first. Section 5.1. describes the different players in the threat
   model. Section 5.2. defines the attacks an AAA proxy may launch in
   any of the use cases that have been described in Section 4.

5.1. Network Entities and their Trust Relationships

   Since this document focuses on potential security risks introduced by
   AAA proxies, all other network entities (such as AAA servers and NAS)
   and MNs are assumed to execute all protocol steps faithfully and do
   not behave maliciously in any way. The practicability of these
   assumptions is out of scope of this document.

   The above assumptions are generally based on the following trust
   relationships:

   o  Within a home domain (can be also considered as an intra-domain)
      it is assumed that all entities are correctly configured and not
      controlled by a malicious party. This can be achieved by intrusion
      detection systems or other means to detect so-called malicious
      insiders.







Hoeper & Winter          Expires May 3, 2009                   [Page 9]


Internet-Draft           AAA Proxy Threat Model           November 2008


   o  The trust relationships between a home network and other local
      networks are specified in roaming agreements. These roaming
      agreements imply that the home network trusts the local network to
      faithfully carry out the roaming services that have been agreed on
      under specified conditions (e.g. roaming fees).

   This document deals with potential security threats introduced by AAA
   proxies. The attacks (as specified in the next Section) are executed
   by an AAA proxy that is either controlled by an adversary or mis-
   configured. In this threat model the following types of malicious
   proxies are distinguished:

     1. Proxies in the home network

     2. Proxies in the visited network

     3. Proxies in a proxy chain between the home and the visited
        networks

   Furthermore, these three proxy types are split into authentication
   and accounting proxies.

5.2. Potential Attacks

   A malicious or misconfigured AAA proxy may launch the following
   attacks:

     1. Passively eavesdrop on network traffic

     Monitoring network traffic is feasible for any entity with access
     to the network. It does not require any special capabilities or
     privileges, such as the knowledge of cryptographic keying material.
     Consequently, this attack is not limited to AAA proxies.

     Traffic analysis can be used to track the activity and/or mobility
     of particular users.

     2. Replay data packets

     This attack consists of two phases: (i) the recording of data
     packets of previous network authentications and (ii) the replaying
     of this data at a later time. This requires access to the network
     but no knowledge of keying material. Hence, the attack is not
     limited to proxies.





Hoeper & Winter          Expires May 3, 2009                  [Page 10]


Internet-Draft           AAA Proxy Threat Model           November 2008


     Replay attacks are typically prevented by the AAA protocol itself
     with the aid of time variant information. There are legacy
     operation modes in RADIUS that can be replayed easily (Access-
     Request packets without the Message-Authenticator attribute, which
     is against the Recommendation of RFC 5080[6]).

     3. Re-direct data packets

     Any proxy could maliciously re-direct AAA data packets. This
     requires access to the routing path but no knowledge of keying
     material. Hence, the attack can also be carried out by routers and
     is not specific to proxies.

     It appears that this attack can only be exploited for Denial of
     Service (DoS) attacks [Editor's note: Is this true?] which are
     typically not preventable by cryptographic means.

     4. Drop data packets

     As for re-direction attacks, any proxy can drop packets causing re-
     transmissions that can lead to a denial of service. [Editor's note:
     Is there any other attack?]. This attack can be executed by all
     entities on the routing paths, i.e. it is not limited to proxies
     and, e.g., can also be executed by routers.

     Note that this attack cannot easily be distinguished from "natural"
     packet losses.

     5. Actively extract confidential information from network traffic

     Where AAA protocols do not encrypt their payload or parts of it on
     the wire, an attacker may extract confidential information from the
     packet without knowledge of encryption keys. In this case, any
     intermediate hop (like routers) can eavesdrop on the non-encrypted
     parts of the protocol payload.

     If the protocol payload is encrypted as a whole, this attack
     requires the knowledge of the encryption key(s). If shared AAA keys
     are used for encrypting data, then a proxy in possession of these
     keys can decrypt the data.

     For example, this attack can be used to gather personal user
     information or accounting information (such as roaming fees and
     offered services) of competitive networks.

     6. Fabricate fake data packets



Hoeper & Winter          Expires May 3, 2009                  [Page 11]


Internet-Draft           AAA Proxy Threat Model           November 2008


     This attack requires the knowledge of the keying material used to
     protect data packets. If shared AAA keys are used for protecting
     data, then a proxy in possession of these keys can generate fake
     data packets.

     For instance, a malicious proxy could fabricate valid
     authentication packets for an unauthorized mobile node or fabricate
     fake accounting data to charge for unused services.

     7. Modify messages

     If shared AAA keys are used for protecting AAA messages, then a
     proxy in possession of these keys can modify the data.

     If an AAA message is not protected, any proxy or any other network
     entity can modify it.

     If an AAA message (protected or unprotected) is not bound to any
     other protected message it can be dropped by any proxy or other
     network entity on the routing path.

     8. Modify AAA attributes

     If shared AAA keys are used for protecting AAA attributes, then a
     proxy in possession of these keys can modify the attributes.

     If an AAA attribute is not protected, any proxy or any other
     network entity can modify it.

     If an AAA attribute (protected or unprotected) is not bound to any
     other protected AAA message or attribute it can be dropped by any
     proxy or other network entity on the routing path.

     Current AAA protocols provide shared keying material for payload
     protection and thus expose packet contents to proxies. There are
     key wrapping schemes to protect individual attributes though, which
     can encrypt AAA attributes between any two AAA servers while not
     exposing them to intermediate AAA proxies. These key wrapping
     schemes require out of band negotiation of wrapping keys, which is
     hardly scalable.

6. Risk Analysis

   This section uses the threat model in Section 5. to analyze the
   feasibility and severity of the identified attacks 5. in each of the
   uses cases discussed in Section 4. An attack is only considered a



Hoeper & Winter          Expires May 3, 2009                  [Page 12]


Internet-Draft           AAA Proxy Threat Model           November 2008


   risk, if the attack is feasible and the impact is sufficiently severe
   to justify the attack's costs from an attacker's perspective.

6.1. Feasibility

   It can be observed that the feasibility of attacks by proxies depend
   on the use case, the type of employed proxies, and whether the proxy
   possesses keying material required for an attack.

   In general, the existence of malicious home proxies in an enterprise
   network (and thus the feasibility of attacks in such networks) is
   fairly unlikely because enterprise networks can be efficiently
   protected. For such an attack, the trust assumption in the home
   network must be violated (see Section5.1. ).

   On the other hand, in roaming scenarios, the attacks by proxies (as
   listed in Section 5.2. ) can be classified as more feasible because
   they can be carried out by local proxies and/or proxies in a proxy
   chain between home and visited network. The trustworthiness of
   visited proxies is specified in the respective roaming agreements,
   while the trustworthiness of proxies in proxy chains may depend on a
   chain of roaming agreements. In a proxy chain, both ends of the chain
   (i.e. home and visited network) have roaming agreements with each
   other as well as neighboring pairs of proxies in the chain. Only if
   the chain consists of three or less proxies, the home network
   directly trusts all proxies (up to two) in the chain. For chains
   longer than three (including the end points) trust is transitive,
   i.e. the home proxy does not directly trust all proxies on the chain
   but rather trusts its direct neighbor to only have agreements with
   other trusted proxies and so forth. This results into a chain of
   trust. It can be observed, that a violation of this chain of trust is
   more likely than a direct trust violation in the home or visited
   network. Furthermore, the longer the proxy chain, the more diluted
   may the trust relations become and the more likely is a compromised
   or mis-configured proxy as part of the proxy chain.

   In any case, attacks in roaming use cases require that a trust
   relation as part of the roaming agreements is violated (see Section
   5.1. .

   In addition, the feasibility of attacks depend whether they require
   knowledge of keying material. For instance, attacks 1-4 in Section
   5.2. do not require the knowledge of keying material and thus can be
   executed by any proxy. On the other hand, attacks 5-8 require the
   knowledge of the AAA keying material that has been used to protect
   the data under attack. However, the possession of keying material is
   likely because AAA protocols are often based on hop-by-hop security


Hoeper & Winter          Expires May 3, 2009                  [Page 13]


Internet-Draft           AAA Proxy Threat Model           November 2008


   using shared keys. In addition, proxies often need to be able to
   adjust (protected) AAA attributes to meet local requirements.

6.2. Severity

   In enterprise networks, the severity of attacks are rather limited,
   because the exchanged data would not be of great value for an
   attacker and the exploitation of fabricated of modified packets is
   limited (e.g. because of the lack of accounting data and mobility
   pattern of users).

     The severity of all attacks in roaming scenarios is higher due to
     the higher value of the exchanged information and offered services.
     For instance, traffic analysis attacks (attack 1) could be of
     interest to track the movements of particular mobile users. DoS
     attacks (attacks 3 and 4) could bring down the entire services, so
     the risk can be considered moderate to severe depending on the
     offered services.

     Especially accounting information is an attractive target for an
     adversary. However, the information of free roaming services (use
     case 2) can be of value as well. For example, in [5] data can
     contain the age, nationality, and other personal information of the
     mobile user wishing to access the network. Modification attacks can
     also be a severe risk, e.g. under aged users can control proxies to
     modify the age in order to pass the age limit for a requested
     service or local proxies may modify the roaming information to make
     their network services more attractive but later charge more. In
     addition modification attacks can be used for the downgrading of
     negotiated security credentials. Fabrication attacks can be
     classified as extremely severe in use case 3, because a malicious
     accounting proxy could fabricate false accounting information, such
     that the home network is charged for roaming fees even though no
     mobile node actually roamed.

7. Security Considerations

   TBD

8. IANA Considerations

   This document has no IANA considerations.

9. Conclusions

   This draft facilitates implementers and providers of networks with
   AAA proxies as well as protocols designers to carry out a risk


Hoeper & Winter          Expires May 3, 2009                  [Page 14]


Internet-Draft           AAA Proxy Threat Model           November 2008


   analysis of threats introduced by AAA proxies. The result of such
   analysis enables to decide whether the potential security
   vulnerabilities introduced by AAA proxies in the network justify the
   costs of necessary system or protocol modifications to thwart the
   identified attacks.

   Furthermore, as another result of this draft, it can be observed that
   security solutions thwarting proxy attacks can be expected not to be
   of pure technical nature. The feasibility of attacks highly depends
   on the reliability of trust assumptions in enterprise networks and
   roaming agreements in roaming applications.

   Technical solutions such as providing end-to-end protection of AAA
   attributes and messages can prevent modifications and fabrication
   attacks and should be carefully studied in future works.

10. Acknowledgments

   Thanks to everybody contributing to the proxy list and/or the meeting
   in Philadelphia, especially Bernard Aboba, Alan DeKok, Pasi Eronen,
   Dan Harkins, Sam Hartman, Russ Housley, Tim Polk, Klaas Wierenga, and
   Glen Zorn. Special thanks to Stefan Winter for providing the eduroam
   application as one of the use cases.

11. References

11.1. Normative References

   (None).

11.2. Informative References

   [1]      Housley, R. and Aboba, B., "Guidance for Authentication,
     Authorization, and Accounting (AAA) Key Management", BCP 132, RFC
     4962, July 2007.

   [2]      Rigney, C., Willens, S., Rubens, A., and W. Simpson,
     "Remote Authentication Dial In User Service (RADIUS)", RFC 2865,
     June 2000.

   [3]      Calhoun, P., Loughney, J., Guttman, E., Zorn, G., Arkko, J.,
     "Diameter Base Protocol", RFC 3588, September 2003.

   [4]      Aboba, B., "Proxy Chaining and Policy Implementation in
     Roaming", RFC 2607, June 1999.




Hoeper & Winter          Expires May 3, 2009                  [Page 15]


Internet-Draft           AAA Proxy Threat Model           November 2008


   [5]      Wierenga, K. and S. Winter, "Deliverable DJ5.1.4: Inter-NREN
     Roaming Architecture: Description and Development Items", 2006,
     <http://www.geant2.net/roaming-techspec.pdf>.

   [6]      Nelson, D. and DeKok, A., "Common Remote Authentication Dial
     In User Service (RADIUS) Implementation Issues and Suggested
     Fixes", RFC 5080, December 2007.

Authors' Addresses

   Katrin Hoeper (editor)
   National Institute of Standards and Technology
   100 Bureau Drive, MS: 8930
   Gaithersburg, MD 20899
   USA

   Email: khoeper@nist.gov

   Stefan Winter
   RESTENA Foundation
   6, rue Richard Coudenhove-Kalergi
   1359 Luxembourg
   LUXEMBOURG

   Email: stefan.winter@restena.lu


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary


Hoeper & Winter          Expires May 3, 2009                  [Page 16]


Internet-Draft           AAA Proxy Threat Model           November 2008


   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.























Hoeper & Winter          Expires May 3, 2009                  [Page 17]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/