RADIUS EXTensions J.-F. Rieckers Internet-Draft DFN Obsoletes: 6614 (if approved) S. Winter Intended status: Standards Track RESTENA Expires: 11 September 2023 10 March 2023 Transport Layer Security (TLS) Encryption for RADIUS draft-rieckers-radext-rfc6614bis-02 Abstract This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers as well as encrypting RADIUS traffic between servers using a shared secret. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-rieckers-radext-rfc6614bis/. Discussion of this document takes place on the RADIUS EXTensions Working Group mailing list (mailto:radext@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/radext/. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 11 September 2023. Rieckers & Winter Expires 11 September 2023 [Page 1] Internet-Draft RADIUS over TLS March 2023 Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Conventions and Definitions . . . . . . . . . . . . . . . 3 1.2. Changes from RFC6614 . . . . . . . . . . . . . . . . . . 4 2. Transport layer security for RADIUS/TCP . . . . . . . . . . . 4 2.1. TCP port and Packet Types . . . . . . . . . . . . . . . . 5 2.2. TLS Connection setup . . . . . . . . . . . . . . . . . . 5 2.3. TLS Peer Authentication . . . . . . . . . . . . . . . . . 6 2.3.1. Authentication using X.509 certificates with PKIX trust model . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3.2. Authentication using certificate fingerprints . . . . 8 2.3.3. Authentication using TLS-PSK . . . . . . . . . . . . 8 2.3.4. Authentication using Raw Public Keys . . . . . . . . 8 2.4. Connecting Client Identity . . . . . . . . . . . . . . . 8 2.5. RADIUS Datagrams . . . . . . . . . . . . . . . . . . . . 9 3. Design Decisions . . . . . . . . . . . . . . . . . . . . . . 11 3.1. Implications of Dynamic Peer Discovery . . . . . . . . . 11 3.2. X.509 Certificate Considerations . . . . . . . . . . . . 11 3.3. Cipher Suites and Compression Negotiation Considerations . . . . . . . . . . . . . . . . . . . . . 11 3.4. RADIUS Datagram Considerations . . . . . . . . . . . . . 12 4. Compatibility with Other RADIUS Transports . . . . . . . . . 13 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 7.1. Normative References . . . . . . . . . . . . . . . . . . 15 7.2. Informative References . . . . . . . . . . . . . . . . . 16 Appendix A. Lessons learned from deployments of the Experimental RFC6614 . . . . . . . . . . . . . . . . . . . . . . . . . 17 A.1. eduroam . . . . . . . . . . . . . . . . . . . . . . . . . 17 A.2. Wireless Broadband Alliance's OpenRoaming . . . . . . . . 19 A.3. Participating in more than one roaming consortium . . . . 19 Appendix B. Interoperable Implementations . . . . . . . . . . . 20 Rieckers & Winter Expires 11 September 2023 [Page 2] Internet-Draft RADIUS over TLS March 2023 Appendix C. Backward compatibility . . . . . . . . . . . . . . . 20 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 1. Introduction The RADIUS protocol [RFC2865] is a widely deployed authentication and authorization protocol. The supplementary RADIUS Accounting specification [RFC2866] provides accounting mechanisms, thus delivering a full Authentication, Authorization, and Accounting (AAA) solution. However, RADIUS has shown several shortcomings, especially the lack of security for large parts of its packet payload. RADIUS security is based on the MD5 algorithm, which has been proven to be insecure. The main focus of RADIUS over TLS is to provide a means to secure the communication between RADIUS/TCP peers using TLS. The most important use of this specification lies in roaming environments where RADIUS packets need to be transferred through different administrative domains and untrusted, potentially hostile network. There are multiple known attacks on the MD5 algorithm that is used in RADIUS to provide integrity protection and a limited confidentiality protection. RADIUS over TLS wraps the entire RADIUS packet payload into a TLS stream and thus mitigates the risk of attacks on MD5. Because of the static trust establishment between RADIUS peers (IP address and shared secret), the only scalable way of creating a massive deployment of RADIUS servers under the control of different administrative entities is to introduce some form of a proxy chain to route the access requests to their home server. This creates a lot of overhead in terms of possible points of failure, longer transmission times, as well as middleboxes through which authentication traffic flows. These middleboxes may learn privacy- relevant data while forwarding requests. The new features in RADIUS over TLS add a new way to identify other peers, e.g., by checking a certificate for the issuer or other certificate properties, but also provides a simple upgrade path for existing RADIUS connection by simply using the shared secret to authenticate the TLS session. 1.1. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Rieckers & Winter Expires 11 September 2023 [Page 3] Internet-Draft RADIUS over TLS March 2023 Within this document we will use the following terms: RADIUS/TLS node: a RADIUS-over-TLS client or server RADIUS/TLS Client: a RADIUS-over-TLS instance that initiates a new connection RADIUS/TLS Server: a RADIUS-over-TLS instance that listens on a RADIUS-over-TLS port and accepts new connections RADIUS/UDP: a classic RADIUS transport over UDP as defined in [RFC2865] 1.2. Changes from RFC6614 Currently, there are no big changes, since this is just a restructured spec from [RFC6614]. The following things have changed: Required TLS versions: TLS 1.2 is now the minimum TLS version, TLS 1.3 is included as recommended. TLS compression: [RFC6614] allowed usage of TLS compression, this document forbids it. TLS-PSK support: [RFC6614] lists support for TLS-PSK as OPTIONAL, this document changes this to RECOMMENDED. Mandatory-to-implement(MTI) cipher suites: Following the recommendation from [RFC9325], the RC4 cipher suite is no longer included as SHOULD, and the AES cipher suite is the new MTI cipher suite, since it is the MTI cipher suite from TLS 1.2. Additionally, this document references [RFC9325] for further recommendations for cipher suites. The following things will change in future versions of this draft: * Usage of Server Name Indication * More text for TLS-PSK 2. Transport layer security for RADIUS/TCP This section specifies the way TLS is used to secure the traffic and the changes in the handling of RADIUS packets. Rieckers & Winter Expires 11 September 2023 [Page 4] Internet-Draft RADIUS over TLS March 2023 2.1. TCP port and Packet Types The default destination port number for RADIUS over TLS is TCP/2083. There are no separate ports for authentication, accounting, and dynamic authorization changes. The source port is arbitrary. 2.2. TLS Connection setup The RADIUS/TLS nodes first try to establish a TCP connection as per [RFC6613]. Failure to connect leads to continuous retries. It is RECOMMENDED to use exponentially growing intervals between every try. After completing the TCP handshake, the RADIUS/TLS nodes immediately negotiate a TLS session. The following restrictions apply: * Support for TLS 1.2 [RFC5246] is REQUIRED, support for TLS 1.3 [RFC8446] is RECOMMENDED. RADIUS/TLS nodes MUST NOT negotiate TLS versions prior to TLS 1.2. * The RADIUS/TLS nodes MUST NOT offer or negotiate cipher suites which do not provide confidentiality and integrity protection. * The RADIUS/TLS nodes MUST NOT negotiate compression. * When using TLS 1.3, RADIUS/TLS nodes MUST NOT use early data ([RFC8446], Section 2.3) * RADIUS/TLS implementations MUST, at minimum, support negotiation of the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite and SHOULD follow the recommendations for supported cipher suites in [RFC9325], Section 4. * In addition, RADIUS/TLS implementations MUST support negotiation of the mandatory-to-implement cipher suites required by the versions of TLS they support. Details for peer authentication are described in Section 2.3. After successful negotiation of a TLS session, the RADIUS/TLS peers can start exchanging RADIUS datagrams. The shared secret to compute the (obsolete) MD5 integrity checks and attribute obfuscation MUST be "radsec". Rieckers & Winter Expires 11 September 2023 [Page 5] Internet-Draft RADIUS over TLS March 2023 2.3. TLS Peer Authentication Peers MUST mutually authenticate each other at the TLS layer. The authentication of peers can be done using different models, that will be described here. Peers can also perform additional authorization checks based on non-TLS information. For example, verifying that the client IP address (source IP address of the TLS connection) falls within a particular network range. 2.3.1. Authentication using X.509 certificates with PKIX trust model All RADIUS/TLS implementations MUST implement this model, following the following rules: * Implementations MUST allow the configuration of a list of trusted Certificate Authorities for incoming connections. * Certificate validation MUST include the verification rules as per [RFC5280]. * Implementations SHOULD indicate their trusted Certification Authorities (CAs). See [RFC5246], Section 7.4.4 and [RFC6066], Section 6 for TLS 1.2 and [RFC8446], Section 4.2.4 for TLS 1.3. * RADIUS/TLS clients validate the server identity to match their local configuration: - If the expected RADIUS/TLS server was configured as a hostname, the configured name is matched against the presented names from the subjectAltName:DNS extension; if no such exist, against the presented CN component of the certificate subject. - If the expected RADIUS/TLS server was configured as an IP address, the configured IP address is matched against the presented addresses in the subjectAltName:iPAddr extension; if no such exist, against the presented CN component of the certificate subject. - If the expected RADIUS/TLS server was not configured but discovered as per [RFC7585], the peer executes the following checks in this order, accepting the certificate on the first match: o The realm which was used as input to the discovery is matched against the presented realm names from the subjectAltName:naiRealm extension. Rieckers & Winter Expires 11 September 2023 [Page 6] Internet-Draft RADIUS over TLS March 2023 o If the discovery process yielded a hostname, this hostname is matched against the presented names from the subjectAltName:DNS extension; if no such exist, against the presented CN component of the certificate subject. Implementations MAY require the use of DNSSEC [RFC4033] to ensure the authenticity of the DNS result before relying on this for trust checks. o If the previous checks fail, the certificate MAY be accepted without further name checks immediately after the [RFC5280] trust chain checks. * RADIUS/TLS server validate the incoming certificate against a local database of acceptable clients. The database may enumerate acceptable clients either by IP address or by a name component in the certificate. - For clients configured by name, the configured name is matched against the presented names from the subjectAltName:DNS extension; if no such exists, against the presented CN component in the certificate subject. - For clients configured by their source IP address, the configured IP address is matched against the presented addresses in the subjectAltName:iPAddr extension; if no such exist, against the presented CN component of the certificate subject. - It is possible for a RADIUS/TLS server to not require additional name checks for incoming RADIUS/TLS clients. In this case, the certificate is accepted immediately after the [RFC5280] trust chain checks. This MUST NOT be used outside of trusted network environments or without additional certificate attribute checks in place. * Implementations MAY allow the configuration of a set of additional properties of the certificate to check for a peer's authorization to communicate (e.g., a set of allowed values in subjectAltName:URI or a set of allowed X.509v3 Certificate Policies). * When the configured trust base changes (e.g., removal of a CA from the list of trusted CAs; issuance of a new CRL for a given CA), implementations MAY renegotiate the TLS session to reassess the connecting peer's continued authorization. // Replace may with should here? // // -- Janfred Rieckers & Winter Expires 11 September 2023 [Page 7] Internet-Draft RADIUS over TLS March 2023 2.3.2. Authentication using certificate fingerprints RADIUS/TLS implementations SHOULD allow the configuration of a list of trusted certificates, identified via fingerprint of the DER encoded certificate octets. When implementing this model, support for SHA-1 as hash algorithm for the fingerprint is REQUIRED, and support for the more contemporary has function SHA-256 is RECOMMENDED. 2.3.3. Authentication using TLS-PSK RADIUS/TLS implementations SHOULD support the use of TLS-PSK. 2.3.4. Authentication using Raw Public Keys RADIUS/TLS implementations SHOULD support using Raw Public Keys [RFC7250] for mutual authentication. // TODO: More text here. // // -- Janfred 2.4. Connecting Client Identity In RADIUS/UDP, clients are uniquely identified by their IP address. Since the shared secret is associated with the origin IP address, if more than one RADIUS client is associated with the same IP address, then those clients also must utilize the same shared secret. This practice is inherently insecure, as noted in [RFC5247], Section 5.3.2. Following the different authentication modes presented in Section 2.3, the identification of clients can be done by different means: In TLS-PSK operation, a client is uniquely identified by its PSK Identity. When using certificate fingerprints, a client is uniquely identified by the fingerprint of the presented client certificate. When using X.509 certificates with a PKIX trust model, a client is uniquely identified by the tuple of the serial number of the presended client certificate and the issuer of the client certificate. Rieckers & Winter Expires 11 September 2023 [Page 8] Internet-Draft RADIUS over TLS March 2023 // TODO: Client identity when using Raw Public Key needs to be // described here. // // -- Janfred Note well: having identified a connecting entity does not mean the server necessarily wants to communicate with that client. For example, if the issuer is not in a trusted set of issuers, the server may decline to perform RADIUS transactions with this client. There are numerous trust models in PKIX environments, and it is beyond the scope of this document to define how a particular deployment determines whether a client is trustworthy. Implementations that want to support a wide variety of trust models should expose as many details of the presented certificate to the administrator as possible so that the trust model can be implemented by the administrator. As a suggestion, at least the following parameters of the X.509 client certificate should be exposed: * Originating IP address * Certificate Fingerprint * Issuer * Subject * all X.509v3 Extended Key Usage * all X.509v3 Subject Alternative Name * all X.509v3 Certificate Policies For TLS-PSK operation, at least the following parameters of the TLS connection should be exposed: * Originating IP address * PSK Identity 2.5. RADIUS Datagrams Authentication, Authorization, and Accounting packets are sent according to the following rules: RADIUS/TLS clients transmit the same packet types on the connection they initiated as a RADIUS/UDP client would. For example, they send Rieckers & Winter Expires 11 September 2023 [Page 9] Internet-Draft RADIUS over TLS March 2023 * Access-Request * Accounting-Request * Status-Server * Disconnect-ACK * Disconnect-NAK * ... RADIUS/TLS servers transmit the same packets on connections they have accepted as a RADIUS/UDP server would. For example, they send * Access-Challenge * Access-Accept * Access-Reject * Accounting-Response * Disconnect-Request * ... Due to the use of one single TCP port for all packet types, it is required that a RADIUS/TLS server signal which types of packets are supported on a server to a connecting peer. * When an unwanted packet of type 'CoA-Request' or 'Disconnect- Request' is received, a RADIUS/TLS server needs to respond with a 'CoA-NAK' or 'Disconnect-NAK', respectively. The NAK SHOULD contain an attribute Error-Cause with the value 406 ("Unsupported Extension"); see [RFC5176] for details. * When an unwanted packet of type 'Accounting-Request' is received, the RADIUS/TLS server SHOULD reply with an Accounting-Response containing an Error-Cause attribute with value 406 "Unsupported Extension" as defined in [RFC5176]. A RADIUS/TLS accounting client receiving such an Accounting-Response SHOULD log the error and stop sending Accounting-Request packets to this server. Rieckers & Winter Expires 11 September 2023 [Page 10] Internet-Draft RADIUS over TLS March 2023 3. Design Decisions This section explains the design decisions that led to the rules defined in the previous section, as well as a reasoning behind the differences to [RFC6614]. 3.1. Implications of Dynamic Peer Discovery One mechanism to discover RADIUS-over-TLS peers dynamically via DNS is specified in [RFC7585]. While this mechanism is still under development and therefore is not a normative dependency of RADIUS/ TLS, the use of dynamic discovery has potential future implications that are important to understand. Readers of this document who are considering the deployment of DNS- based dynamic discovery are thus encouraged to read [RFC7585] and follow its future development. 3.2. X.509 Certificate Considerations (1) If a RADIUS/TLS client is in possession of multiple certificates from different CAs (i.e., is part of multiple roaming consortia) and dynamic discovery is used, the discovery mechanism possibly does not yield sufficient information to identify the consortium uniquely (e.g., DNS discovery). Subsequently, the client may not know by itself which client certificate to use for the TLS handshake. Then, it is necessary for the server to signal to which consortium it belongs and which certificates it expects. If there is no risk of confusing multiple roaming consortia, providing this information in the handshake is not crucial. (2) If a RADIUS/TLS server is in possession of multiple certificates from different CAs (i.e., is part of multiple roaming consortia), it will need to select one of its certificates to present to the RADIUS/TLS client. If the client sends the Trusted CA Indication, this hint can make the server select the appropriate certificate and prevent a handshake failure. Omitting this indication makes it impossible to deterministically select the right certificate in this case. If there is no risk of confusing multiple roaming consortia, providing this indication in the handshake is not crucial. 3.3. Cipher Suites and Compression Negotiation Considerations See [RFC9325] for considerations regarding the cipher suites and negotiation. Rieckers & Winter Expires 11 September 2023 [Page 11] Internet-Draft RADIUS over TLS March 2023 3.4. RADIUS Datagram Considerations (1) After the TLS session is established, RADIUS packet payloads are exchanged over the encrypted TLS tunnel. In RADIUS/UDP, the packet size can be determined by evaluating the size of the datagram that arrived. Due to the stream nature of TCP and TLS, this does not hold true for RADIUS/TLS packet exchange. Instead, packet boundaries of RADIUS packets that arrive in the stream are calculated by evaluating the packet's Length field. Special care needs to be taken on the packet sender side that the value of the Length field is indeed correct before sending it over the TLS tunnel, because incorrect packet lengths can no longer be detected by a differing datagram boundary. See Section 2.6.4 of [RFC6613] for more details. (2) Within RADIUS/UDP [RFC2865], a shared secret is used for hiding attributes such as User-Password, as well as in computation of the Response Authenticator. In RADIUS accounting [RFC2866], the shared secret is used in computation of both the Request Authenticator and the Response Authenticator. Since TLS provides integrity protection and encryption sufficient to substitute for RADIUS application-layer security, it is not necessary to configure a RADIUS shared secret. The use of a fixed string for the obsolete shared secret eliminates possible node misconfigurations. (3) RADIUS/UDP [RFC2865] uses different UDP ports for authentication, accounting, and dynamic authorization changes. RADIUS/TLS allocates a single port for all RADIUS packet types. Nevertheless, in RADIUS/TLS, the notion of a client that sends authentication requests and processes replies associated with its users' sessions and the notion of a server that receives requests, processes them, and sends the appropriate replies is to be preserved. The normative rules about acceptable packet types for clients and servers mirror the packet flow behavior from RADIUS/ UDP. (4) RADIUS/UDP [RFC2865] uses negative ICMP responses to a newly allocated UDP port to signal that a peer RADIUS server does not support the reception and processing of the packet types in [RFC5176]. These packet types are listed as to be received in RADIUS/TLS implementations. Note well: it is not required for an implementation to actually process these packet types; it is only required that the NAK be sent as defined above. (5) RADIUS/UDP [RFC2865] uses negative ICMP responses to a newly Rieckers & Winter Expires 11 September 2023 [Page 12] Internet-Draft RADIUS over TLS March 2023 allocated UDP port to signal that a peer RADIUS server does not support the reception and processing of RADIUS Accounting packets. There is no RADIUS datagram to signal an Accounting NAK. Clients may be misconfigured for sending Accounting packets to a RADIUS/ TLS server that does not wish to process their Accounting packet. To prevent a regression of detectability of this situation, the Accounting-Response + Error-Cause signaling was introduced. 4. Compatibility with Other RADIUS Transports The IETF defines multiple alternative transports to the classic UDP transport model as defined in [RFC2865], namely RADIUS over TCP [RFC6613], the present document on RADIUS over TLS and RADIUS over Datagram Transport Layer Security (DTLS) [RFC7360]. RADIUS/TLS does not specify any inherent backward compatibility to RADIUS/UDP or cross compatibility to the other transports, i.e., an implementation that utilizes RADIUS/TLS only will not be able to receive or send RADIUS packet payloads over other transports. An implementation wishing to be backward or cross compatible (i.e., wishes to serve clients using other transports than RADIUS/TLS) will need to implement these other transports along with the RADIUS/TLS transport and be prepared to send and receive on all implemented transports, which is called a "multi-stack implementation". If a given IP device is able to receive RADIUS payloads on multiple transports, this may or may not be the same instance of software, and it may or may not serve the same purposes. It is not safe to assume that both ports are interchangeable. In particular, it cannot be assumed that state is maintained for the packet payloads between the transports. Two such instances MUST be considered separate RADIUS server entities. 5. Security Considerations The computational resources to establish a TLS tunnel are significantly higher than simply sending mostly unencrypted UDP datagrams. Therefore, clients connecting to a RADIUS/TLS node will more easily create high load conditions and a malicious client might create a Denial-of-Service attack more easily. Some TLS cipher suites only provide integrity validation of their payload and provide no encryption. This specification forbids the use of such cipher suites. Since the RADIUS payload's shared secret is fixed to the well-known term "radsec", failure to comply with this requirement will expose the entire datagram payload in plaintext, including User-Password, to intermediate IP nodes. Rieckers & Winter Expires 11 September 2023 [Page 13] Internet-Draft RADIUS over TLS March 2023 By virtue of being based on TCP, there are several generic attack vectors to slow down or prevent the TCP connection from being established; see [RFC4953] for details. If a TCP connection is not up when a packet is to be processed, it gets re-established, so such attacks in general lead only to a minor performance degradation (the time it takes to re-establish the connection). There is one notable exception where an attacker might create a bidding-down attack though. If peer communication between two devices is configured for both RADIUS/TLS and RADIUS/UDP, and the RADIUS/UDP transport is the failover option if the TLS session cannot be established, a bidding- down attack can occur if an adversary can maliciously close the TCP connection or prevent it from being established. Situtations where clients are configured in such a way are likely to occur during a migration phase from RADIUS/UDP to RADIUS/TLS. By preventing the TLS session setup, the attacker can reduce the security of the packet payload from the selected TLS cipher suite packet encryption to the classic MD5 per-attribute encryption. The situation should be avoided by disabling the weaker RADIUS/UDP transport as soon as the new RADIUS/TLS connection is established and tested. RADIUS/TLS provides authentication and encryption between RADIUS peers. In the presence of proxies, the intermediate proxies can still inspect the individual RADIUS packets, i.e., "end-to-end" encryption is not provided. Where intermediate proxies are untrusted, it is desirable to use other RADIUS mechanisms to prevent RADIUS packet payload from inspection by such proxies. One common method to protect passwords is the use of the Extensible Authentication Protocol (EAP) and EAP methods that utilize TLS. For dynamic discovery, this document allows the acceptance of a certificate only after doing PKIX checks. When using publicly trusted CAs as trust anchor, this may lead to security issues, since an advisary may easily get a valid certificate from this CAs. In current practice of [RFC6614], this problem is circumvented by using a private CA as a trust anchor. This private CA only issues certificate to members of the roaming consortium. This may still enable a malicious member to intercept traffic not intended for them, however, depending on the size of the consortium, this attack vector may be negligible. If the private CA also issues certificates for other purposes than RADIUS/TLS, the RADIUS/TLS certificates SHOULD include RADIUS/TLS-specific attributes against the implementation can check such as a X.509v3 Certificate Policy specific for RADIUS/TLS. When using certificate fingerprints to identify RADIUS/TLS peers, any two certificates that produce the same hash value (i.e., that have a hash collision) will be considered the same client. Therefore, it is important to make sure that the hash function used is cryptographically uncompromised so that an attacker is very unlikely Rieckers & Winter Expires 11 September 2023 [Page 14] Internet-Draft RADIUS over TLS March 2023 to be able to produce a hash collision with a certificate of his choice. While this specification mandates support for SHA-1, a later revision will likely demand support for more contemporary hash functions because as of issuance of this document, there are already attacks on SHA-1. 6. IANA Considerations Upon approval, IANA should update the Reference to radsec in the Service Name and Transport Protocol Port Number Registry: * Service Name: radsec * Port Number: 2083 * Transport Protocol: tcp * Description: Secure RADIUS Service * Assignment notes: The TCP port 2083 was already previously assigned by IANA for "RadSec", an early implementation of RADIUS/ TLS, prior to issuance of the experimental RFC 6614. [This document] updates RFC 6614, while maintaining backward compatibility, if configured. For further details see RFC 6614, Appendix A or [This document], Appendix C. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, DOI 10.17487/RFC2865, June 2000, . [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, DOI 10.17487/RFC2866, June 2000, . [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, . Rieckers & Winter Expires 11 September 2023 [Page 15] Internet-Draft RADIUS over TLS March 2023 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) Extensions: Extension Definitions", RFC 6066, DOI 10.17487/RFC6066, January 2011, . [RFC6613] DeKok, A., "RADIUS over TCP", RFC 6613, DOI 10.17487/RFC6613, May 2012, . [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., Weiler, S., and T. Kivinen, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, June 2014, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC9325] Sheffer, Y., Saint-Andre, P., and T. Fossati, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, November 2022, . 7.2. Informative References [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, March 2005, . [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", RFC 4953, DOI 10.17487/RFC4953, July 2007, . Rieckers & Winter Expires 11 September 2023 [Page 16] Internet-Draft RADIUS over TLS March 2023 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 5176, DOI 10.17487/RFC5176, January 2008, . [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework", RFC 5247, DOI 10.17487/RFC5247, August 2008, . [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga, "Transport Layer Security (TLS) Encryption for RADIUS", RFC 6614, DOI 10.17487/RFC6614, May 2012, . [RFC7360] DeKok, A., "Datagram Transport Layer Security (DTLS) as a Transport Layer for RADIUS", RFC 7360, DOI 10.17487/RFC7360, September 2014, . [RFC7585] Winter, S. and M. McCauley, "Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier (NAI)", RFC 7585, DOI 10.17487/RFC7585, October 2015, . [RFC7593] Wierenga, K., Winter, S., and T. Wolniewicz, "The eduroam Architecture for Network Roaming", RFC 7593, DOI 10.17487/RFC7593, September 2015, . Appendix A. Lessons learned from deployments of the Experimental [RFC6614] There are at least two major (world-scale) deployments of [RFC6614]. A.1. eduroam eduroam is a globally operating Wi-Fi roaming consortium exclusively for persons in Research and Education. For an extensive background on eduroam and its authentication fabric architecture, refer to [RFC7593]. Rieckers & Winter Expires 11 September 2023 [Page 17] Internet-Draft RADIUS over TLS March 2023 Over time, more than a dozen out of 100+ national branches of eduroam used RADIUS/TLS in production to secure their country-to-country RADIUS proxy connections. This number is big enough to attest that the protocol does work, and scales. The number is also low enough to wonder why RADIUS/UDP continued to be used by a majority of country deployments despite its significant security issues. Operational experience reveals that the main reason is related to the choice of PKIX certificates for securing the proxy interconnections. Compared to shared secrets, certificates are more complex to handle in multiple dimensions: * Lifetime: PKIX certificates have an expiry date, and need administrator attention and expertise for their renewal * Validation: The validation of a certificate (both client and server) requires contacting a third party to verify the recovaction status. This either takes time during session setup (OCSP checks) or requires the presence of a fresh CRL on the server - this in turn requires regular update of that CRL. * Issuance: PKIX certificates carry properties in the Subject and extensions that need to be vetted. Depending on the CA policy, a certificate request may need significant human intervention to be verified. In particular, the authorisation of a requester to operate a server for a particular NAI realm needs to be verified. This rules out public "browser-trusted" CAs; eduroam is operating a special-purpose CA for eduroam RADIUS/TLS purposes. * Automatic failure over time: CRL refresh and certificate renewal must be attended to regularly. Failure to do so leads to failure of the authentication service. Among other reasons, employee churn with incorrectly transferred or forgotten responsibilities is a risk factor. It appears that these complexities often outweigh the argument of improved security; and a fallback to RADIUS/UDP is seen as the more appealing option. It can be considered an important result of the experiment in [RFC6614] that providing less complex ways of operating RADIUS/TLS are required. The more thoroughly specified provisions in the current document towards TLS-PSK and raw public keys are a response to this insight. Rieckers & Winter Expires 11 September 2023 [Page 18] Internet-Draft RADIUS over TLS March 2023 On the other hand, using RADIUS/TLS in combination with Dynamic Discovery as per [RFC7585] necessitates the use of PKIX certificates. So, the continued ability to operate with PKIX certificates is also important and cannot be discontinued without sacrificing vital funcionality of large roaming consortia. A.2. Wireless Broadband Alliance's OpenRoaming OpenRoaming is a globally operating Wi-Fi roaming consortium for the general public, operated by the Wireless Broadband Alliance (WBA). With its (optional) settled usage of hotspots, the consortium requires both RADIUS authentication as well as RADIUS accounting. The consortium operational procedures were defined in the late 2010s when [RFC6614] and [RFC7585] were long available. The consortium decided to fully base itself on these two RFCs. In this architecture, using PSKs or raw public keys is not an option. The complexities around PKIX certificates as discussed in the previous section are believed to be controllable: the consortium operates its own special-purpose CA and can rely on a reliable source of truth for operator authorisation (becoming an operator requires a paid membership in WBA); expiry and revocation topics can be expected to be dealt with as high-priority because of the monetary implications in case of infrastructure failure during settled operation. A.3. Participating in more than one roaming consortium It is possible for a RADIUS/TLS (home) server to participate in more than one roaming consortium, i.e. to authenticate its users to multiple clients from distinct consortia, which present client certificates from their respective consortium's CA; and which expect the server to present a certificate from the matching CA. The eduroam consortium has chosen to cooperate with (the settlement- free parts of) OpenRoaming to allow eduroam users to log in to (settlement-free) OpenRoaming hotspots. eduroam RADIUS/TLS servers thus may be contacted by OpenRoaming clients expecting an OpenRoaming server certificate, and by eduroam clients expecting an eduroam server certificate. It is therefore necessary to decide on the certificate to present during TLS session establishment. To make that decision, the availability of Trusted CA Indication in the client TLS message is important. Rieckers & Winter Expires 11 September 2023 [Page 19] Internet-Draft RADIUS over TLS March 2023 It can be considered an important result of the experiment in [RFC6614] that Trusted CA Indication is an important asset for inter- connectivity of multiple roaming consortia. Appendix B. Interoperable Implementations [RFC6614] is implemented and interoperates between at least three server implementations: FreeRADIUS, radsecproxy, Radiator. It is also implemented among a number of Wireless Access Points / Controllers from numerous vendors, including but not limited to: Aruba Networks, LANCOM Systems. Appendix C. Backward compatibility TODO describe necessary steps to configure common servers for compatibility with this version. Hopefully the differences to [RFC6614] are small enough that almost no config change is necessary. Acknowledgments Thanks to the original authors of RFC 6614: Stefan Winter, Mike McCauley, Stig Venaas and Klaas Vierenga. TODO more acknowledgements Authors' Addresses Jan-Frederik Rieckers Deutsches Forschungsnetz | German National Research and Education Network Alexanderplatz 1 10178 Berlin Germany Email: rieckers@dfn.de URI: www.dfn.de Stefan Winter Fondation Restena | Restena Foundation 2, avenue de l'Université L-4365 Esch-sur-Alzette Luxembourg Email: stefan.winter@restena.lu URI: www.restena.lu Rieckers & Winter Expires 11 September 2023 [Page 20]