draft-ietf-radext-dtls-10.txt | draft-ietf-radext-dtls-11.txt | |||
---|---|---|---|---|
Network Working Group Alan DeKok | Network Working Group Alan DeKok | |||
INTERNET-DRAFT FreeRADIUS | INTERNET-DRAFT FreeRADIUS | |||
Category: Experimental | Category: Experimental | |||
<draft-ietf-radext-dtls-10.txt> | <draft-ietf-radext-dtls-11.txt> | |||
Expires: October 15, 2015 | Expires: October 28, 2015 | |||
16 April 2014 | 30 April 2014 | |||
DTLS as a Transport Layer for RADIUS | DTLS as a Transport Layer for RADIUS | |||
draft-ietf-radext-dtls-10 | draft-ietf-radext-dtls-11 | |||
Abstract | Abstract | |||
The RADIUS protocol defined in RFC 2865 has limited support for | The RADIUS protocol defined in RFC 2865 has limited support for | |||
authentication and encryption of RADIUS packets. The protocol | authentication and encryption of RADIUS packets. The protocol | |||
transports data in the clear, although some parts of the packets can | transports data in the clear, although some parts of the packets can | |||
have obfuscated content. Packets may be replayed verbatim by an | have obfuscated content. Packets may be replayed verbatim by an | |||
attacker, and client-server authentication is based on fixed shared | attacker, and client-server authentication is based on fixed shared | |||
secrets. This document specifies how the Datagram Transport Layer | secrets. This document specifies how the Datagram Transport Layer | |||
Security (DTLS) protocol may be used as a fix for these problems. It | Security (DTLS) protocol may be used as a fix for these problems. It | |||
skipping to change at page 3, line 39 | skipping to change at page 3, line 39 | |||
9.1. Radsecproxy ......................................... 18 | 9.1. Radsecproxy ......................................... 18 | |||
9.2. jradius ............................................. 18 | 9.2. jradius ............................................. 18 | |||
10. Security Considerations ................................. 19 | 10. Security Considerations ................................. 19 | |||
10.1. Crypto-Agility ..................................... 19 | 10.1. Crypto-Agility ..................................... 19 | |||
10.2. Legacy RADIUS Security ............................. 20 | 10.2. Legacy RADIUS Security ............................. 20 | |||
10.3. Resource Exhaustion ................................ 21 | 10.3. Resource Exhaustion ................................ 21 | |||
10.4. Client-Server Authentication with DTLS ............. 21 | 10.4. Client-Server Authentication with DTLS ............. 21 | |||
10.5. Network Address Translation ........................ 22 | 10.5. Network Address Translation ........................ 22 | |||
10.6. Wildcard Clients ................................... 23 | 10.6. Wildcard Clients ................................... 23 | |||
10.7. Session Closing .................................... 23 | 10.7. Session Closing .................................... 23 | |||
10.8. Client Subsystems .................................. 23 | 10.8. Client Subsystems .................................. 24 | |||
11. References .............................................. 24 | 11. References .............................................. 24 | |||
11.1. Normative references ............................... 24 | 11.1. Normative references ............................... 24 | |||
11.2. Informative references ............................. 25 | 11.2. Informative references ............................. 25 | |||
1. Introduction | 1. Introduction | |||
The RADIUS protocol as described in [RFC2865], [RFC2866], [RFC5176], | The RADIUS protocol as described in [RFC2865], [RFC2866], [RFC5176], | |||
and others has traditionally used methods based on MD5 [RFC1321] for | and others has traditionally used methods based on MD5 [RFC1321] for | |||
per-packet authentication and integrity checks. However, the MD5 | per-packet authentication and integrity checks. However, the MD5 | |||
algorithm has known weaknesses such as [MD5Attack] and [MD5Break]. | algorithm has known weaknesses such as [MD5Attack] and [MD5Break]. | |||
skipping to change at page 12, line 30 | skipping to change at page 12, line 30 | |||
DTLS Session | DTLS Session | |||
Any information required to maintain and manage the DTLS session. | Any information required to maintain and manage the DTLS session. | |||
Last Taffic | Last Taffic | |||
A variable containing a timestamp which indicates when this session | A variable containing a timestamp which indicates when this session | |||
last received valid traffic. If "Last Traffic" is not used, this | last received valid traffic. If "Last Traffic" is not used, this | |||
variable may not exist. | variable may not exist. | |||
DTLS Data | DTLS Data | |||
An implementation-specific variable which may information about the | An implementation-specific variable which may contain information | |||
active DTLS session. This variable may be empty or non existent. | about the active DTLS session. This variable may be empty or non | |||
existent. | ||||
This data will typically contain information such as idle timeouts, | This data will typically contain information such as idle timeouts, | |||
session lifetimes, and other implementation-specific data. | session lifetimes, and other implementation-specific data. | |||
5.1.1. Session Opening and Closing | 5.1.1. Session Opening and Closing | |||
Session tracking is subject to Denial of Service (DoS) attacks due to | Session tracking is subject to Denial of Service (DoS) attacks due to | |||
the ability of an attacker to forge UDP traffic. RADIUS/DTLS servers | the ability of an attacker to forge UDP traffic. RADIUS/DTLS servers | |||
SHOULD use the stateless cookie tracking technique described in | SHOULD use the stateless cookie tracking technique described in | |||
[RFC6347] Section 4.2.1. DTLS sessions SHOULD NOT be tracked until a | [RFC6347] Section 4.2.1. DTLS sessions SHOULD NOT be tracked until a | |||
End of changes. 4 change blocks. | ||||
7 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |