Diff: draft-ietf-radext-dtls-10.txt - draft-ietf-radext-dtls-11.txt

	draft-ietf-radext-dtls-10.txt	draft-ietf-radext-dtls-11.txt

	Network Working Group Alan DeKok	Network Working Group Alan DeKok
	INTERNET-DRAFT FreeRADIUS	INTERNET-DRAFT FreeRADIUS
	Category: Experimental	Category: Experimental

	<draft-ietf-radext-dtls-10.txt>	<draft-ietf-radext-dtls-11.txt>
	Expires: October 15, 2015	Expires: October 28, 2015
	16 April 2014	30 April 2014

	DTLS as a Transport Layer for RADIUS	DTLS as a Transport Layer for RADIUS

	draft-ietf-radext-dtls-10	draft-ietf-radext-dtls-11

	Abstract	Abstract

	The RADIUS protocol defined in RFC 2865 has limited support for	The RADIUS protocol defined in RFC 2865 has limited support for
	authentication and encryption of RADIUS packets. The protocol	authentication and encryption of RADIUS packets. The protocol
	transports data in the clear, although some parts of the packets can	transports data in the clear, although some parts of the packets can
	have obfuscated content. Packets may be replayed verbatim by an	have obfuscated content. Packets may be replayed verbatim by an
	attacker, and client-server authentication is based on fixed shared	attacker, and client-server authentication is based on fixed shared
	secrets. This document specifies how the Datagram Transport Layer	secrets. This document specifies how the Datagram Transport Layer
	Security (DTLS) protocol may be used as a fix for these problems. It	Security (DTLS) protocol may be used as a fix for these problems. It

	skipping to change at page 3, line 39	skipping to change at page 3, line 39
	9.1. Radsecproxy ......................................... 18	9.1. Radsecproxy ......................................... 18
	9.2. jradius ............................................. 18	9.2. jradius ............................................. 18
	10. Security Considerations ................................. 19	10. Security Considerations ................................. 19
	10.1. Crypto-Agility ..................................... 19	10.1. Crypto-Agility ..................................... 19
	10.2. Legacy RADIUS Security ............................. 20	10.2. Legacy RADIUS Security ............................. 20
	10.3. Resource Exhaustion ................................ 21	10.3. Resource Exhaustion ................................ 21
	10.4. Client-Server Authentication with DTLS ............. 21	10.4. Client-Server Authentication with DTLS ............. 21
	10.5. Network Address Translation ........................ 22	10.5. Network Address Translation ........................ 22
	10.6. Wildcard Clients ................................... 23	10.6. Wildcard Clients ................................... 23
	10.7. Session Closing .................................... 23	10.7. Session Closing .................................... 23

	10.8. Client Subsystems .................................. 23	10.8. Client Subsystems .................................. 24
	11. References .............................................. 24	11. References .............................................. 24
	11.1. Normative references ............................... 24	11.1. Normative references ............................... 24
	11.2. Informative references ............................. 25	11.2. Informative references ............................. 25

	1. Introduction	1. Introduction

	The RADIUS protocol as described in [RFC2865], [RFC2866], [RFC5176],	The RADIUS protocol as described in [RFC2865], [RFC2866], [RFC5176],
	and others has traditionally used methods based on MD5 [RFC1321] for	and others has traditionally used methods based on MD5 [RFC1321] for
	per-packet authentication and integrity checks. However, the MD5	per-packet authentication and integrity checks. However, the MD5
	algorithm has known weaknesses such as [MD5Attack] and [MD5Break].	algorithm has known weaknesses such as [MD5Attack] and [MD5Break].

	skipping to change at page 12, line 30	skipping to change at page 12, line 30

	DTLS Session	DTLS Session
	Any information required to maintain and manage the DTLS session.	Any information required to maintain and manage the DTLS session.

	Last Taffic	Last Taffic
	A variable containing a timestamp which indicates when this session	A variable containing a timestamp which indicates when this session
	last received valid traffic. If "Last Traffic" is not used, this	last received valid traffic. If "Last Traffic" is not used, this
	variable may not exist.	variable may not exist.

	DTLS Data	DTLS Data

	An implementation-specific variable which may information about the	An implementation-specific variable which may contain information
	active DTLS session. This variable may be empty or non existent.	about the active DTLS session. This variable may be empty or non
		existent.

	This data will typically contain information such as idle timeouts,	This data will typically contain information such as idle timeouts,
	session lifetimes, and other implementation-specific data.	session lifetimes, and other implementation-specific data.

	5.1.1. Session Opening and Closing	5.1.1. Session Opening and Closing

	Session tracking is subject to Denial of Service (DoS) attacks due to	Session tracking is subject to Denial of Service (DoS) attacks due to
	the ability of an attacker to forge UDP traffic. RADIUS/DTLS servers	the ability of an attacker to forge UDP traffic. RADIUS/DTLS servers
	SHOULD use the stateless cookie tracking technique described in	SHOULD use the stateless cookie tracking technique described in
	[RFC6347] Section 4.2.1. DTLS sessions SHOULD NOT be tracked until a	[RFC6347] Section 4.2.1. DTLS sessions SHOULD NOT be tracked until a

End of changes. 4 change blocks.
	7 lines changed or deleted	8 lines changed or added
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/