draft-ietf-radext-dtls-10.txt   draft-ietf-radext-dtls-11.txt 
Network Working Group Alan DeKok Network Working Group Alan DeKok
INTERNET-DRAFT FreeRADIUS INTERNET-DRAFT FreeRADIUS
Category: Experimental Category: Experimental
<draft-ietf-radext-dtls-10.txt> <draft-ietf-radext-dtls-11.txt>
Expires: October 15, 2015 Expires: October 28, 2015
16 April 2014 30 April 2014
DTLS as a Transport Layer for RADIUS DTLS as a Transport Layer for RADIUS
draft-ietf-radext-dtls-10 draft-ietf-radext-dtls-11
Abstract Abstract
The RADIUS protocol defined in RFC 2865 has limited support for The RADIUS protocol defined in RFC 2865 has limited support for
authentication and encryption of RADIUS packets. The protocol authentication and encryption of RADIUS packets. The protocol
transports data in the clear, although some parts of the packets can transports data in the clear, although some parts of the packets can
have obfuscated content. Packets may be replayed verbatim by an have obfuscated content. Packets may be replayed verbatim by an
attacker, and client-server authentication is based on fixed shared attacker, and client-server authentication is based on fixed shared
secrets. This document specifies how the Datagram Transport Layer secrets. This document specifies how the Datagram Transport Layer
Security (DTLS) protocol may be used as a fix for these problems. It Security (DTLS) protocol may be used as a fix for these problems. It
skipping to change at page 3, line 39 skipping to change at page 3, line 39
9.1. Radsecproxy ......................................... 18 9.1. Radsecproxy ......................................... 18
9.2. jradius ............................................. 18 9.2. jradius ............................................. 18
10. Security Considerations ................................. 19 10. Security Considerations ................................. 19
10.1. Crypto-Agility ..................................... 19 10.1. Crypto-Agility ..................................... 19
10.2. Legacy RADIUS Security ............................. 20 10.2. Legacy RADIUS Security ............................. 20
10.3. Resource Exhaustion ................................ 21 10.3. Resource Exhaustion ................................ 21
10.4. Client-Server Authentication with DTLS ............. 21 10.4. Client-Server Authentication with DTLS ............. 21
10.5. Network Address Translation ........................ 22 10.5. Network Address Translation ........................ 22
10.6. Wildcard Clients ................................... 23 10.6. Wildcard Clients ................................... 23
10.7. Session Closing .................................... 23 10.7. Session Closing .................................... 23
10.8. Client Subsystems .................................. 23 10.8. Client Subsystems .................................. 24
11. References .............................................. 24 11. References .............................................. 24
11.1. Normative references ............................... 24 11.1. Normative references ............................... 24
11.2. Informative references ............................. 25 11.2. Informative references ............................. 25
1. Introduction 1. Introduction
The RADIUS protocol as described in [RFC2865], [RFC2866], [RFC5176], The RADIUS protocol as described in [RFC2865], [RFC2866], [RFC5176],
and others has traditionally used methods based on MD5 [RFC1321] for and others has traditionally used methods based on MD5 [RFC1321] for
per-packet authentication and integrity checks. However, the MD5 per-packet authentication and integrity checks. However, the MD5
algorithm has known weaknesses such as [MD5Attack] and [MD5Break]. algorithm has known weaknesses such as [MD5Attack] and [MD5Break].
skipping to change at page 12, line 30 skipping to change at page 12, line 30
DTLS Session DTLS Session
Any information required to maintain and manage the DTLS session. Any information required to maintain and manage the DTLS session.
Last Taffic Last Taffic
A variable containing a timestamp which indicates when this session A variable containing a timestamp which indicates when this session
last received valid traffic. If "Last Traffic" is not used, this last received valid traffic. If "Last Traffic" is not used, this
variable may not exist. variable may not exist.
DTLS Data DTLS Data
An implementation-specific variable which may information about the An implementation-specific variable which may contain information
active DTLS session. This variable may be empty or non existent. about the active DTLS session. This variable may be empty or non
existent.
This data will typically contain information such as idle timeouts, This data will typically contain information such as idle timeouts,
session lifetimes, and other implementation-specific data. session lifetimes, and other implementation-specific data.
5.1.1. Session Opening and Closing 5.1.1. Session Opening and Closing
Session tracking is subject to Denial of Service (DoS) attacks due to Session tracking is subject to Denial of Service (DoS) attacks due to
the ability of an attacker to forge UDP traffic. RADIUS/DTLS servers the ability of an attacker to forge UDP traffic. RADIUS/DTLS servers
SHOULD use the stateless cookie tracking technique described in SHOULD use the stateless cookie tracking technique described in
[RFC6347] Section 4.2.1. DTLS sessions SHOULD NOT be tracked until a [RFC6347] Section 4.2.1. DTLS sessions SHOULD NOT be tracked until a
 End of changes. 4 change blocks. 
7 lines changed or deleted 8 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/