RADIUS Over DTLS

Post on 23-Mar-2016

127 views 3 download

description

RADIUS Over DTLS. RADEXT - Interim. Alan DeKok FreeRADIUS. draft-ietf-radext-dtls-00 Submitted. Changes from draft-dekok-radext-dtls-02 Name / date STATUS -> RFC 5997 Removed RFC 5378 disclaimer. Open Issues. Need to re-sync with RTLS draft Double-check consistency, etc. - PowerPoint PPT Presentation

transcript

RADIUS Over DTLSRADEXT - Interim

Alan DeKokFreeRADIUS

RADEXT - Interim

draft-ietf-radext-dtls-00 Submitted

• Changes from draft-dekok-radext-dtls-02

• Name / date• STATUS -> RFC 5997• Removed RFC 5378 disclaimer

RADEXT - Interim

Open Issues• Need to re-sync with RTLS draft

• Double-check consistency, etc.• Port re-use issues

• Use the same port? Different ports?

• Would like review from Stig Venaas (radsecproxy)

RADEXT - Interim

Implementations

• RadSecProxy• Jradius• FreeRADIUS (ongoing, expected

Q1. 2011)

RADEXT - Interim

Questions?

RADEXT - Interim

Backup slides

RADEXT - Interim

Changes from RadSec

• Mostly clear-cut changes• TCP ➙ UDP, RadSec ➙ RDTLS, TLS ➙ DTLS

• Some differences• re-uses RADIUS port• retains code ➙ port restrictions

RADEXT - Interim

Magic• RADIUS & DTLS on the same port

• key: { src (ip, port), dst (ip, port) } -> proto

• proto = DTLS or RADIUS• works for live “connections”

• proto is DTLS or RADIUS• MUST NOT transport both over

same key

RADEXT - Interim

More Magic• What about new sessions?

• key: { src (ip, port) + dst (ip, port) } -> ???

• Look at packet contents• (packet[0] == 22) ? DTLS :

RADIUS

RADEXT - Interim

Step by Step Guide• Draft outlines full management

algorithm• When client is known to support

a protocol• Includes processing of legacy

RADIUS• Outlines management of upgrade

path

RADEXT - Interim

What it does (not) do

• ✓ Future-proof security via TLS• ✓ Backwards compatibility• ✓ Simple migration path• ✖ Order, reliability, fragmentation