From proxies-bounces@ietf.org  Tue Oct 14 08:34:47 2008
Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 317C33A6C10;
	Tue, 14 Oct 2008 08:34:47 -0700 (PDT)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 1EB013A6C20
	for <proxies@core3.amsl.com>; Tue, 14 Oct 2008 08:34:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level: 
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5
	tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id CCKEaaA+eyun for <proxies@core3.amsl.com>;
	Tue, 14 Oct 2008 08:34:44 -0700 (PDT)
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227])
	by core3.amsl.com (Postfix) with ESMTP id DBB523A6862
	for <proxies@ietf.org>; Tue, 14 Oct 2008 08:34:40 -0700 (PDT)
Received: from mesico.nist.gov (csme13.ncsl.nist.gov [129.6.54.47])
	by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id m9EFYxPG000581
	for <proxies@ietf.org>; Tue, 14 Oct 2008 11:35:00 -0400
Message-Id: <7.0.1.0.2.20081014111653.0251b108@nist.gov>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Tue, 14 Oct 2008 11:34:59 -0400
To: proxies@ietf.org
From: Katrin Hoeper <katrin.hoeper@nist.gov>
Mime-Version: 1.0
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: katrin.hoeper@nist.gov
Subject: [proxies] Call for comments and co-authors:
 <draft-hoeper-proxythreat-00.txt>
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies
	<proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>,
	<mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/proxies>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>,
	<mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0681559499=="
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org

--===============0681559499==
Content-Type: multipart/alternative;
	boundary="=====================_7856031==.ALT"

--=====================_7856031==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed

Hello everybody,

I have put together a 00-draft attempting to summarize the 
discussions in Philadelphia and on this list.
Please read the draft and send me your comments:

"Threat Model for Networks Employing AAA Proxies"
<draft-hoeper-proxythreat-00.txt>
http://tools.ietf.org/html/draft-hoeper-proxythreat-00

I am sure  I missed a lot of things and other things need to be 
corrected That's why I need your feedback!
Also, I am seeing myself as the editor of the document and am looking 
for co-authors. Please let me know if you are interested.

I hope to get out a 01-draft before the next IETF meeting, i.e. 
comments (and co-authors ;)) before the end of the month are highly 
appreciated.

Regards,
Katrin


----------
Katrin Hoeper
Computer Security Division
National Institute of Standards and Technology (NIST)
100 Bureau Dr. Mail stop: 8930
Gaithersburg, MD 20899
(301) 975 - 4024

--=====================_7856031==.ALT
Content-Type: text/html; charset="us-ascii"

<html>
<body>
Hello everybody,<br><br>
I have put together a 00-draft attempting to summarize the discussions in
Philadelphia and on this list. <br>
Please read the draft and send me your comments:<br><br>
&quot;Threat Model for Networks Employing AAA Proxies&quot;<br>
&lt;draft-hoeper-proxythreat-00.txt&gt;<br>
<a href="http://tools.ietf.org/html/draft-hoeper-proxythreat-00" eudora="autourl">
http://tools.ietf.org/html/draft-hoeper-proxythreat-00<br><br>
</a>I am sure&nbsp; I missed a lot of things and other things need to be
corrected That's why I need your feedback!<br>
Also, I am seeing myself as the editor of the document and am looking for
co-authors. Please let me know if you are interested.<br>
&nbsp;<br>
I hope to get out a 01-draft before the next IETF meeting, i.e. comments
(and co-authors ;)) before the end of the month are highly
appreciated.<br><br>
Regards,<br>
Katrin<br>
<x-sigsep><p></x-sigsep>
<hr>
<font size=3>Katrin Hoeper<br>
Computer Security Division<br>
National Institute of Standards and Technology (NIST)<br>
100 Bureau Dr. Mail stop: 8930<br>
Gaithersburg, MD 20899<br>
(301) 975 - 4024<br>
</font></body>
</html>

--=====================_7856031==.ALT--



--===============0681559499==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Proxies mailing list
Proxies@ietf.org
https://www.ietf.org/mailman/listinfo/proxies

--===============0681559499==--




From proxies-bounces@ietf.org  Thu Oct 16 06:43:15 2008
Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id ECE8A3A698E;
	Thu, 16 Oct 2008 06:43:15 -0700 (PDT)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 830553A698E
	for <proxies@core3.amsl.com>; Thu, 16 Oct 2008 06:43:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.231
X-Spam-Level: 
X-Spam-Status: No, score=-2.231 tagged_above=-999 required=5 tests=[AWL=0.368, 
	BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id MYGWIkD520FO for <proxies@core3.amsl.com>;
	Thu, 16 Oct 2008 06:43:13 -0700 (PDT)
Received: from legolas.restena.lu (legolas.restena.lu [158.64.1.34])
	by core3.amsl.com (Postfix) with ESMTP id 8BCE73A6805
	for <proxies@ietf.org>; Thu, 16 Oct 2008 06:43:13 -0700 (PDT)
Received: from legolas.restena.lu (localhost [127.0.0.1])
	by legolas.restena.lu (Postfix) with ESMTP id 5B16192683;
	Thu, 16 Oct 2008 15:44:14 +0200 (CEST)
Received: from [158.64.1.155] (aragorn.restena.lu [158.64.1.155])
	by legolas.restena.lu (Postfix) with ESMTPA id 48AFAB8B3D;
	Thu, 16 Oct 2008 15:44:14 +0200 (CEST)
Message-ID: <48F7452E.8040006@restena.lu>
Date: Thu, 16 Oct 2008 15:44:14 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Thunderbird 2.0.0.17 (X11/20080922)
MIME-Version: 1.0
To: Katrin Hoeper <katrin.hoeper@nist.gov>
References: <7.0.1.0.2.20081014111653.0251b108@nist.gov>
In-Reply-To: <7.0.1.0.2.20081014111653.0251b108@nist.gov>
X-Enigmail-Version: 0.95.7
X-Virus-Scanned: ClamAV
Cc: proxies@ietf.org
Subject: Re: [proxies] Call for comments and co-authors:
	<draft-hoeper-proxythreat-00.txt>
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies
	<proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>,
	<mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/proxies>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>,
	<mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org

Hi Katrin,

> I have put together a 00-draft attempting to summarize the discussions
> in Philadelphia and on this list.

Thanks a lot!

> Please read the draft and send me your comments:

Attacks 1-4 are really quite broad in scope. They work on the network
layer and can be applied to all sorts of packets. While what's written
in these sections is true, I wonder if it needs an explicit mention in
this document, which is supposed to deal with AAA proxy-specific attacks.

Attack 5 is more severe than stated in the document: AAA protocols might
send their payload in parts in the clear. Intermediate hops (not only
AAA proxies) may extract information out of these payloads, even without
knowledge of keying material. RADIUS only encrypts a small subset of
attributes on the wire. Diameter communication MUST be encrypted with
IPSec or TLS (but there was talk going on on the dime list for making
this a SHOULD in 3588bis, IIRC).

5.2.2 re "[Editor's note: Is this true?]": Access-Request packets in
RADIUS can be unauthenticated and thus be replayed. This will happen if
the Message-Authenticator digest is not present in the request. This is
NOT RECOMMENDED as per RFC5080, but possible (and existing deployed
practice).

5.2.8, re "[Editor's note: Are AAA attributes typically protected?]":
There are key wrapping schemes that provide encryption between the ends
of the AAA communication for individual attributes. They require
out-of-band signalling of the wrapping keying material though, and are
not an inherent protocol feature. So while they can be protected it is
"typically" not the case (at least in the networks I work with, maybe
other people have other experiences).

Oh, and a typo in section 6:

This section uses the thread model =


-> threat


Greetings,

Stefan Winter

-- =

Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - R=E9seau T=E9l=E9informatique de l'Education Nationale =
et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

_______________________________________________
Proxies mailing list
Proxies@ietf.org
https://www.ietf.org/mailman/listinfo/proxies