summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7585.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7585.txt')
-rw-r--r--doc/rfc/rfc7585.txt1795
1 files changed, 1795 insertions, 0 deletions
diff --git a/doc/rfc/rfc7585.txt b/doc/rfc/rfc7585.txt
new file mode 100644
index 0000000..c8641be
--- /dev/null
+++ b/doc/rfc/rfc7585.txt
@@ -0,0 +1,1795 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) S. Winter
+Request for Comments: 7585 RESTENA
+Category: Experimental M. McCauley
+ISSN: 2070-1721 AirSpayce
+ October 2015
+
+
+ Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS
+ Based on the Network Access Identifier (NAI)
+
+Abstract
+
+ This document specifies a means to find authoritative RADIUS servers
+ for a given realm. It is used in conjunction with either RADIUS over
+ Transport Layer Security (RADIUS/TLS) or RADIUS over Datagram
+ Transport Layer Security (RADIUS/DTLS).
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for examination, experimental implementation, and
+ evaluation.
+
+ This document defines an Experimental Protocol for the Internet
+ community. This document is a product of the Internet Engineering
+ Task Force (IETF). It represents the consensus of the IETF
+ community. It has received public review and has been approved for
+ publication by the Internet Engineering Steering Group (IESG). Not
+ all documents approved by the IESG are a candidate for any level of
+ Internet Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7585.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 1]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 5
+ 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
+ 1.3. Document Status . . . . . . . . . . . . . . . . . . . . . 6
+ 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 2.1. DNS Resource Record (RR) Definition . . . . . . . . . . . 7
+ 2.1.1. S-NAPTR . . . . . . . . . . . . . . . . . . . . . . . 7
+ 2.1.2. SRV . . . . . . . . . . . . . . . . . . . . . . . . . 12
+ 2.1.3. Optional Name Mangling . . . . . . . . . . . . . . . 12
+ 2.2. Definition of the X.509 Certificate Property
+ SubjectAltName:otherName:NAIRealm . . . . . . . . . . . . 14
+ 3. DNS-Based NAPTR/SRV Peer Discovery . . . . . . . . . . . . . 16
+ 3.1. Applicability . . . . . . . . . . . . . . . . . . . . . . 16
+ 3.2. Configuration Variables . . . . . . . . . . . . . . . . . 16
+ 3.3. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 16
+ 3.4. Realm to RADIUS Server Resolution Algorithm . . . . . . . 17
+ 3.4.1. Input . . . . . . . . . . . . . . . . . . . . . . . . 17
+ 3.4.2. Output . . . . . . . . . . . . . . . . . . . . . . . 18
+ 3.4.3. Algorithm . . . . . . . . . . . . . . . . . . . . . . 18
+ 3.4.4. Validity of Results . . . . . . . . . . . . . . . . . 20
+ 3.4.5. Delay Considerations . . . . . . . . . . . . . . . . 21
+ 3.4.6. Example . . . . . . . . . . . . . . . . . . . . . . . 21
+ 4. Operations and Manageability Considerations . . . . . . . . . 24
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 25
+ 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 26
+ 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
+ 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 29
+ 8.1. Normative References . . . . . . . . . . . . . . . . . . 29
+ 8.2. Informative References . . . . . . . . . . . . . . . . . 30
+ Appendix A. ASN.1 Syntax of NAIRealm . . . . . . . . . . . . . . 31
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
+
+
+
+Winter & McCauley Experimental [Page 2]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+1. Introduction
+
+ RADIUS in all its current transport variants (RADIUS/UDP, RADIUS/TCP,
+ RADIUS/TLS, and RADIUS/DTLS) requires manual configuration of all
+ peers (clients and servers).
+
+ Where more than one administrative entity collaborates for RADIUS
+ authentication of their respective customers (a "roaming
+ consortium"), the Network Access Identifier (NAI) [RFC7542] is the
+ suggested way of differentiating users between those entities; the
+ part of a username to the right of the "@" delimiter in an NAI is
+ called the user's "realm". Where many realms and RADIUS forwarding
+ servers are in use, the number of realms to be forwarded and the
+ corresponding number of servers to configure may be significant.
+ Where new realms with new servers are added or details of existing
+ servers change on a regular basis, maintaining a single monolithic
+ configuration file for all these details may prove too cumbersome to
+ be useful.
+
+ Furthermore, in cases where a roaming consortium consists of
+ independently working branches (e.g., departments and national
+ subsidiaries), each with their own forwarding servers, and who add or
+ change their realm lists at their own discretion, there is additional
+ complexity in synchronizing the changed data across all branches.
+
+ Where realms can be partitioned (e.g., according to their top-level
+ domain (TLD) ending), forwarding of requests can be realized with a
+ hierarchy of RADIUS servers, all serving their partition of the realm
+ space. Figure 1 shows an example of this hierarchical routing.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 3]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ +-------+
+ | |
+ | . |
+ | |
+ +---+---+
+ / | \
+ +----------------/ | \---------------------+
+ | | |
+ | | |
+ | | |
+ +--+---+ +--+--+ +----+---+
+ | | | | | |
+ | .edu | . . . | .nl | . . . | .ac.uk |
+ | | | | | |
+ +--+---+ +--+--+ +----+---+
+ / | \ | \ |
+ / | \ | \ |
+ / | \ | \ |
+ +-----+ | +-----+ | +------+ |
+ | | | | | |
+ | | | | | |
+ +---+---+ +----+---+ +----+---+ +--+---+ +-----+----+ +-----+-----+
+ | | | | | | | | | | | |
+ |utk.edu| |utah.edu| |case.edu| |hva.nl| |surfnet.nl| |soton.ac.uk|
+ | | | | | | | | | | | |
+ +----+--+ +--------+ +--------+ +------+ +----+-----+ +-----------+
+ | |
+ | |
+ +--+--+ +--+--+
+ | | | |
+ +-+-----+-+ | |
+ | | +-----+
+ +---------+
+ user: paul@surfnet.nl surfnet.nl Authentication server
+
+ Figure 1: RADIUS Hierarchy Based on Top-Level Domain Partitioning
+
+ However, such partitioning is not always possible. As an example, in
+ one real-life deployment, the administrative boundaries and RADIUS
+ forwarding servers are organized along country borders, but generic
+ top-level domains such as .edu do not map to this choice of
+ boundaries (see [RFC7593] for details). These situations can benefit
+ significantly from a distributed mechanism for storing realm and
+ server reachability information. This document describes one such
+ mechanism: storage of realm-to-server mappings in DNS; realm-based
+ request forwarding can then be realized without a static hierarchy
+ such as in the following figure:
+
+
+
+
+Winter & McCauley Experimental [Page 4]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ ---------
+ / \
+ --------- ------------
+ / \
+ | DNS -
+ ----------| \
+ / \ surfnet.nl NAPTR? |
+ (1) / ---- -> radius.surfnet.nl /
+ / \ /
+ / -------- ---------
+ / \---------/
+ |
+ | ---------------------------------------
+ | / (2) RADIUS \
+ | | |
+ +---+---+ +----+---+ +----+---+ +--+---+ +-----+----+ +-----+-----+
+ | | | | | | | | | | | |
+ |utk.edu| |utah.edu| |case.edu| |hva.nl| |surfnet.nl| |soton.ac.uk|
+ | | | | | | | | | | | |
+ +----+--+ +--------+ +--------+ +------+ +----+-----+ +-----------+
+ | |
+ | |
+ +--+--+ +--+--+
+ | | | |
+ +-+-----+-+ | |
+ | | +-----+
+ +---------+
+ user: paul@surfnet.nl surfnet.nl Authentication server
+
+ Figure 2: RADIUS Hierarchy Based on Top-Level Domain Partitioning
+
+ This document also specifies various approaches for verifying that
+ server information that was retrieved from DNS was from an authorized
+ party; for example, an organization that is not at all part of a
+ given roaming consortium may alter its own DNS records to yield a
+ result for its own realm.
+
+1.1. Requirements Language
+
+ In this document, several words are used to signify the requirements
+ of the specification. The key words "MUST", "MUST NOT", "REQUIRED",
+ "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
+ and "OPTIONAL" in this document are to be interpreted as described in
+ RFC 2119 [RFC2119].
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 5]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+1.2. Terminology
+
+ RADIUS/TLS Client: a RADIUS/TLS [RFC6614] instance that initiates a
+ new connection.
+
+ RADIUS/TLS Server: a RADIUS/TLS [RFC6614] instance that listens on a
+ RADIUS/TLS port and accepts new connections.
+
+ RADIUS/TLS Node: a RADIUS/TLS client or server.
+
+ [RFC7542] defines the terms NAI, realm, and consortium.
+
+1.3. Document Status
+
+ This document is an Experimental RFC.
+
+ The communities expected to use this document are roaming consortia
+ whose authentication services are based on the RADIUS protocol.
+
+ The duration of the experiment is undetermined; as soon as enough
+ experience is collected on the choice points mentioned below, it is
+ expected to be obsoleted by a Standards Track version of the
+ protocol, which trims down the choice points.
+
+ If that removal of choice points obsoletes tags or service names as
+ defined in this document and allocated by IANA, these items will be
+ returned to IANA as per the provisions in [RFC6335].
+
+ The document provides a discovery mechanism for RADIUS, which is very
+ similar to the approach that is taken with the Diameter protocol
+ [RFC6733]. As such, the basic approach (using Naming Authority
+ Pointer (NAPTR) records in DNS domains that match NAI realms) is not
+ of a very experimental nature.
+
+ However, the document offers a few choice points and extensions that
+ go beyond the provisions for Diameter. The list of major additions/
+ deviations is
+
+ o provisions for determining the authority of a server to act for
+ users of a realm (declared out of scope for Diameter)
+
+ o much more in-depth guidance on DNS regarding timeouts, failure
+ conditions, and alteration of Time-To-Live (TTL) information than
+ the Diameter counterpart
+
+ o a partially correct routing error detection during DNS lookups
+
+
+
+
+
+Winter & McCauley Experimental [Page 6]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+2. Definitions
+
+2.1. DNS Resource Record (RR) Definition
+
+ DNS definitions of RADIUS/TLS servers can be either S-NAPTR records
+ (see [RFC3958]) or SRV records. When both are defined, the
+ resolution algorithm prefers S-NAPTR results (see Section 3.4 below).
+
+2.1.1. S-NAPTR
+
+2.1.1.1. Registration of Application Service and Protocol Tags
+
+ This specification defines three S-NAPTR service tags:
+
+ +-----------------+-----------------------------------------+
+ | Service Tag | Use |
+ +-----------------+-----------------------------------------+
+ | aaa+auth | RADIUS Authentication, i.e., traffic as |
+ | | defined in [RFC2865] |
+ | - - - - - - - - | - - - - - - - - - - - - - - - - - - - - |
+ | aaa+acct | RADIUS Accounting, i.e., traffic as |
+ | | defined in [RFC2866] |
+ | - - - - - - - - | - - - - - - - - - - - - - - - - - - - - |
+ | aaa+dynauth | RADIUS Dynamic Authorization, i.e., |
+ | | traffic as defined in [RFC5176] |
+ +-----------------+-----------------------------------------+
+
+ Figure 3: List of Service Tags
+
+ This specification defines two S-NAPTR protocol tags:
+
+ +-----------------+-----------------------------------------+
+ | Protocol Tag | Use |
+ +-----------------+-----------------------------------------+
+ | radius.tls.tcp | RADIUS transported over TLS as defined |
+ | | in [RFC6614] |
+ | - - - - - - - - | - - - - - - - - - - - - - - - - - - - - |
+ | radius.dtls.udp | RADIUS transported over DTLS as defined |
+ | | in [RFC7360] |
+ +-----------------+-----------------------------------------+
+
+ Figure 4: List of Protocol Tags
+
+ Note well:
+
+ The S-NAPTR service and protocols are unrelated to the IANA
+ "Service Name and Transport Protocol Port Number Registry".
+
+
+
+
+Winter & McCauley Experimental [Page 7]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ The delimiter "." in the protocol tags is only a separator for
+ human reading convenience -- not for structure or namespacing; it
+ MUST NOT be parsed in any way by the querying application or
+ resolver.
+
+ The use of the separator "." is common also in other protocols'
+ protocol tags. This is coincidence and does not imply a shared
+ semantics with such protocols.
+
+2.1.1.2. Definition of Conditions for Retry/Failure
+
+ RADIUS is a time-critical protocol; RADIUS clients that do not
+ receive an answer after a configurable, but short, amount of time
+ will consider the request failed. Due to this, there is little
+ leeway for extensive retries.
+
+ As a general rule, only error conditions that generate an immediate
+ response from the other end are eligible for a retry of a discovered
+ target. Any error condition involving timeouts, or the absence of a
+ reply for more than one second during the connection setup phase, is
+ to be considered a failure; the next target in the set of discovered
+ NAPTR targets is to be tried.
+
+ Note that [RFC3958] already defines that a failure to identify the
+ server as being authoritative for the realm is always considered a
+ failure; so even if a discovered target returns a wrong credential
+ instantly, it is not eligible for retry.
+
+ Furthermore, the contacted RADIUS/TLS server verifies during
+ connection setup whether or not it finds the connecting RADIUS/TLS
+ client authorized. If the connecting RADIUS/TLS client is not found
+ acceptable, the server will close the TLS connection immediately with
+ an appropriate alert. Such TLS handshake failures are permanently
+ fatal and not eligible for retry, unless the connecting client has
+ more X.509 certificates to try; in this case, a retry with the
+ remainder of its set of certificates SHOULD be attempted. Not trying
+ all available client certificates potentially creates a DoS for the
+ end user whose authentication attempt triggered the discovery; one of
+ the neglected certificates might have led to a successful RADIUS
+ connection and subsequent end-user authentication.
+
+ If the TLS session setup to a discovered target does not succeed,
+ that target (as identified by the IP address and port number) SHOULD
+ be ignored from the result set of any subsequent executions of the
+ discovery algorithm at least until the target's Effective TTL (see
+ Section 3.3) has expired or until the entity that executes the
+ algorithm changes its TLS context to either send a new client
+ certificate or expect a different server certificate.
+
+
+
+Winter & McCauley Experimental [Page 8]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+2.1.1.3. Server Identification and Handshake
+
+ After the algorithm in this document has been executed, a RADIUS/TLS
+ session as per [RFC6614] is established. Since the discovery
+ algorithm does not have provisions to establish confidential keying
+ material between the RADIUS/TLS client (i.e., the server that
+ executes the discovery algorithm) and the RADIUS/TLS server that was
+ discovered, Pre-Shared Key (PSK) ciphersuites for TLS cannot be used
+ in the subsequent TLS handshake. Only TLS ciphersuites using X.509
+ certificates can be used with this algorithm.
+
+ There are numerous ways to define which certificates are acceptable
+ for use in this context. This document defines one mandatory-to-
+ implement mechanism that allows verification of whether the contacted
+ host is authoritative for an NAI realm or not. It also gives one
+ example of another mechanism that is currently in widespread
+ deployment and one possible approach based on DNSSEC, which is yet
+ unimplemented.
+
+ For the approaches that use trust roots (see the following two
+ sections), a typical deployment will use a dedicated trust store for
+ RADIUS/TLS certificate authorities, particularly a trust store that
+ is independent from default "browser" trust stores. Often, this will
+ be one or a few Certification Authorities (CAs), and they only issue
+ certificates for the specific purpose of establishing RADIUS server-
+ to-server trust. It is important not to trust a large set of CAs
+ that operate outside the control of the roaming consortium, since
+ their issuance of certificates with the properties important for
+ authorization (such as NAIRealm and policyOID below) is difficult to
+ verify. Therefore, clients SHOULD NOT be preconfigured with a list
+ of known public CAs by the vendor or manufacturer. Instead, the
+ clients SHOULD start off with an empty CA list. The addition of a CA
+ SHOULD be done only when manually configured by an administrator.
+
+2.1.1.3.1. Mandatory-to-Implement Mechanism: Trust Roots + NAIRealm
+
+ Verification of authority to provide Authentication, Authorization,
+ and Accounting (AAA) services over RADIUS/TLS is a two-step process.
+
+ Step 1 is the verification of certificate well-formedness and
+ validity as per [RFC5280] and whether it was issued from a root
+ certificate that is deemed trustworthy by the RADIUS/TLS client.
+
+ Step 2 is to compare the value of the algorithm's variable "R" after
+ the execution of step 3 of the discovery algorithm in Section 3.4.3
+ below (i.e., after a consortium name mangling but before conversion
+ to a form usable by the name resolution library) to all values of the
+
+
+
+
+Winter & McCauley Experimental [Page 9]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ contacted RADIUS/TLS server's X.509 certificate property
+ "subjectAlternativeName:otherName:NAIRealm" as defined in
+ Section 2.2.
+
+2.1.1.3.2. Other Mechanism: Trust Roots + policyOID
+
+ Verification of authority to provide AAA services over RADIUS/TLS is
+ a two-step process.
+
+ Step 1 is the verification of certificate well-formedness and
+ validity as per [RFC5280] and whether it was issued from a root
+ certificate that is deemed trustworthy by the RADIUS/TLS client.
+
+ Step 2 is to compare the values of the contacted RADIUS/TLS server's
+ X.509 certificate's extensions of type "Policy OID" to a list of
+ configured acceptable Policy OIDs for the roaming consortium. If one
+ of the configured OIDs is found in the certificate's Policy OID
+ extensions, then the server is considered authorized; if there is no
+ match, the server is considered unauthorized.
+
+ This mechanism is inferior to the mandatory-to-implement mechanism in
+ the previous section because all authorized servers are validated by
+ the same OID value; the mechanism is not fine grained enough to
+ express authority for one specific realm inside the consortium. If
+ the consortium contains members that are hostile against other
+ members, this weakness can be exploited by one RADIUS/TLS server
+ impersonating another if DNS responses can be spoofed by the hostile
+ member.
+
+ The shortcomings in server identification can be partially mitigated
+ by using the RADIUS infrastructure only with authentication payloads
+ that provide mutual authentication and credential protection (i.e.,
+ Extensible Authentication Protocol (EAP) types passing the criteria
+ of [RFC4017]): using mutual authentication prevents the hostile
+ server from mimicking the real EAP server (it can't terminate the EAP
+ authentication unnoticed because it does not have the server
+ certificate from the real EAP server); protection of credentials
+ prevents the impersonating server from learning usernames and
+ passwords of the ongoing EAP conversation (other RADIUS attributes
+ pertaining to the authentication, such as the EAP peer's Calling-
+ Station-ID, can still be learned though).
+
+2.1.1.3.3. Other Mechanism: DNSSEC/DANE
+
+ Where DNSSEC is used, the results of the algorithm can be trusted;
+ that is, the entity that executes the algorithm can be certain that
+ the realm that triggered the discovery is actually served by the
+ server that was discovered via DNS. However, this does not guarantee
+
+
+
+Winter & McCauley Experimental [Page 10]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ that the server is also authorized (i.e., a recognized member of the
+ roaming consortium). The server still needs to present an X.509
+ certificate proving its authority to serve a particular realm.
+
+ The authorization can be sketched using DNSSEC and DNS-Based
+ Authentication of Named Entities (DANE) as follows: DANE/TLSA records
+ of all authorized servers are put into a DNSSEC zone that contains
+ all known and authorized realms; the zone is rooted in a common,
+ consortium-agreed branch of the DNS tree. The entity executing the
+ algorithm uses the realm information from the authentication attempt
+ and then attempts to retrieve TLSA resource records (TLSA RRs) for
+ the DNS label "realm.commonroot". It then verifies that the
+ presented server certificate during the RADIUS/TLS handshake matches
+ the information in the TLSA record.
+
+ Example:
+
+ Realm = "example.com"
+
+ Common Branch = "idp.roaming-consortium.example.
+
+ label for TLSA query = "example.com.idp.roaming-
+ consortium.example.
+
+ result of discovery algorithm for realm "example.com" =
+ 192.0.2.1:2083
+
+ ( TLS certificate of 192.0.2.1:2083 matches TLSA RR ? "PASS" :
+ "FAIL" )
+
+2.1.1.3.4. Client Authentication and Authorization
+
+ Note that RADIUS/TLS connections always mutually authenticate the
+ RADIUS server and the RADIUS client. This specification provides an
+ algorithm for a RADIUS client to contact and verify authorization of
+ a RADIUS server only. During connection setup, the RADIUS server
+ also needs to verify whether it considers the connecting RADIUS
+ client authorized; this is outside the scope of this specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 11]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+2.1.2. SRV
+
+ This specification defines two SRV prefixes (i.e., two values for the
+ "_service._proto" part of an SRV RR as per [RFC2782]):
+
+ +-------------------+-----------------------------------------+
+ | SRV Label | Use |
+ +-------------------+-----------------------------------------+
+ | _radiustls._tcp | RADIUS transported over TLS as defined |
+ | | in [RFC6614] |
+ | - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - |
+ | _radiusdtls._udp | RADIUS transported over DTLS as defined |
+ | | in [RFC7360] |
+ +-------------------+-----------------------------------------+
+
+ Figure 5: List of SRV Labels
+
+ Just like NAPTR records, the lookup and subsequent follow up of SRV
+ records may yield more than one server to contact in a prioritized
+ list. [RFC2782] does not specify rules regarding "Definition of
+ Conditions for Retry/Failure" nor "Server Identification and
+ Handshake". This specification states that the rules for these two
+ topics as defined in Sections 2.1.1.2 and 2.1.1.3 SHALL be used both
+ for targets retrieved via an initial NAPTR RR as well as for targets
+ retrieved via an initial SRV RR (i.e., in the absence of NAPTR RRs).
+
+2.1.3. Optional Name Mangling
+
+ It is expected that in most cases, the SRV and/or NAPTR label used
+ for the records is the DNS A-label representation of the literal
+ realm name for which the server is the authoritative RADIUS server
+ (i.e., the realm name after conversion according to Section 5 of
+ [RFC5891]).
+
+ However, arbitrary other labels or service tags may be used if, for
+ example, a roaming consortium uses realm names that are not
+ associated to DNS names or special-purpose consortia where a globally
+ valid discovery is not a use case. Such other labels require a
+ consortium-wide agreement about the transformation from realm name to
+ lookup label and/or which service tag to use.
+
+
+
+
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 12]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ Examples:
+
+ a. A general-purpose RADIUS server for realm example.com might have
+ DNS entries as follows:
+
+ example.com. IN NAPTR 50 50 "s" "aaa+auth:radius.tls.tcp" ""
+ _radiustls._tcp.foobar.example.com.
+
+ _radiustls._tcp.foobar.example.com. IN SRV 0 10 2083
+ radsec.example.com.
+
+ b. The consortium "foo" provides roaming services for its members
+ only. The realms used are of the form enterprise-name.example.
+ The consortium operates a special purpose DNS server for the
+ (private) TLD "example", which all RADIUS servers use to resolve
+ realm names. "Company, Inc." is part of the consortium. On the
+ consortium's DNS server, realm company.example might have the
+ following DNS entries:
+
+ company.example. IN NAPTR 50 50 "a"
+ "aaa+auth:radius.dtls.udp" "" roamserv.company.example.
+
+ c. The eduroam consortium (see [RFC7593]) uses realms based on DNS
+ but provides its services to a closed community only. However, a
+ AAA domain participating in eduroam may also want to expose AAA
+ services to other, general-purpose, applications (on the same or
+ other RADIUS servers). Due to that, the eduroam consortium uses
+ the service tag "x-eduroam" for authentication purposes and
+ eduroam RADIUS servers use this tag to look up other eduroam
+ servers. An eduroam participant example.org that also provides
+ general-purpose AAA on a different server uses the general
+ "aaa+auth" tag:
+
+ example.org. IN NAPTR 50 50 "s" "x-eduroam:radius.tls.tcp" ""
+ _radiustls._tcp.eduroam.example.org.
+
+ example.org. IN NAPTR 50 50 "s" "aaa+auth:radius.tls.tcp" ""
+ _radiustls._tcp.aaa.example.org.
+
+ _radiustls._tcp.eduroam.example.org. IN SRV 0 10 2083 aaa-
+ eduroam.example.org.
+
+ _radiustls._tcp.aaa.example.org. IN SRV 0 10 2083 aaa-
+ default.example.org.
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 13]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+2.2. Definition of the X.509 Certificate Property
+ SubjectAltName:otherName:NAIRealm
+
+ This specification retrieves IP addresses and port numbers from the
+ Domain Name System that are subsequently used to authenticate users
+ via the RADIUS/TLS protocol. Regardless whether the results from DNS
+ discovery are trustworthy or not (e.g., DNSSEC in use), it is always
+ important to verify that the server that was contacted is authorized
+ to service requests for the user that triggered the discovery
+ process.
+
+ The input to the algorithm is an NAI realm as specified in
+ Section 3.4.1. As a consequence, the X.509 certificate of the server
+ that is ultimately contacted for user authentication needs to be able
+ to express that it is authorized to handle requests for that realm.
+
+ Current subjectAltName fields do not semantically allow an NAI realm
+ to be expressed; the field subjectAltName:dNSName is syntactically a
+ good match but would inappropriately conflate DNS names and NAI realm
+ names. Thus, this specification defines a new subjectAltName field
+ to hold either a single NAI realm name or a wildcard name matching a
+ set of NAI realms.
+
+ The subjectAltName:otherName:sRVName field certifies that a
+ certificate holder is authorized to provide a service; this can be
+ compared to the target of a DNS label's SRV resource record. If the
+ Domain Name System is insecure, it is required that the label of the
+ SRV record itself is known-correct. In this specification, that
+ label is not known-correct; it is potentially derived from a
+ (potentially untrusted) NAPTR resource record of another label. If
+ DNS is not secured with DNSSEC, the NAPTR resource record may have
+ been altered by an attacker with access to the Domain Name System
+ resolution, and thus the label used to look up the SRV record may
+ already be tainted. This makes subjectAltName:otherName:sRVName not
+ a trusted comparison item.
+
+ Further to this, this specification's NAPTR entries may be of type
+ "A", which does not involve resolution of any SRV records, which
+ again makes subjectAltName:otherName:sRVName unsuited for this
+ purpose.
+
+ This section defines the NAIRealm name as a form of otherName from
+ the GeneralName structure in subjectAltName defined in [RFC5280].
+
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 14]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ id-on-naiRealm OBJECT IDENTIFIER ::= { id-on 8 }
+
+ ub-naiRealm-length INTEGER ::= 255
+
+ NAIRealm ::= UTF8String (SIZE (1..ub-naiRealm-length))
+
+ The NAIRealm, if present, MUST contain an NAI realm as defined in
+ [RFC7542]. It MAY substitute the leftmost dot-separated label of the
+ NAI with the single character "*" to indicate a wildcard match for
+ "all labels in this part". Further features of regular expressions,
+ such as a number of characters followed by an "*" to indicate a
+ common prefix inside the part, are not permitted.
+
+ The comparison of an NAIRealm to the NAI realm as derived from user
+ input with this algorithm is a byte-by-byte comparison, except for
+ the optional leftmost dot-separated part of the value whose content
+ is a single "*" character; such labels match all strings in the same
+ dot-separated part of the NAI realm. If at least one of the
+ sAN:otherName:NAIRealm values match the NAI realm, the server is
+ considered authorized; if none match, the server is considered
+ unauthorized.
+
+ Since multiple names and multiple name forms may occur in the
+ subjectAltName extension, an arbitrary number of NAIRealms can be
+ specified in a certificate.
+
+ Examples:
+
+ +---------------------+-------------------+-----------------------+
+ | NAI realm (RADIUS) | NAIRealm (cert) | MATCH? |
+ +---------------------+-------------------+-----------------------+
+ | foo.example | foo.example | YES |
+ | foo.example | *.example | YES |
+ | bar.foo.example | *.example | NO |
+ | bar.foo.example | *ar.foo.example | NO (NAIRealm invalid) |
+ | bar.foo.example | bar.*.example | NO (NAIRealm invalid) |
+ | bar.foo.example | *.*.example | NO (NAIRealm invalid) |
+ | sub.bar.foo.example | *.*.example | NO (NAIRealm invalid) |
+ | sub.bar.foo.example | *.bar.foo.example | YES |
+ +-----------------+-----------------------------------------------+
+
+ Figure 6: Examples for NAI Realm vs. Certificate Matching
+
+ Appendix A contains the ASN.1 definition of the above objects.
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 15]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+3. DNS-Based NAPTR/SRV Peer Discovery
+
+3.1. Applicability
+
+ Dynamic server discovery as defined in this document is only
+ applicable for new AAA transactions and per service (i.e., distinct
+ discovery is needed for Authentication, Accounting, and Dynamic
+ Authorization) where a RADIUS entity that acts as a forwarding server
+ for one or more realms receives a request with a realm for which it
+ is not authoritative, and which no explicit next hop is configured.
+ It is only applicable for
+
+ a. new user sessions, i.e., for the initial Access-Request.
+ Subsequent messages concerning this session, for example, Access-
+ Challenges and Access-Accepts, use the previously established
+ communication channel between client and server.
+
+ b. the first accounting ticket for a user session.
+
+ c. the first RADIUS DynAuth packet for a user session.
+
+3.2. Configuration Variables
+
+ The algorithm contains various variables for timeouts. These
+ variables are named here and reasonable default values are provided.
+ Implementations wishing to deviate from these defaults should make
+ sure they understand the implications of changes.
+
+ DNS_TIMEOUT: maximum amount of time to wait for the complete set
+ of all DNS queries to complete: Default = 3 seconds
+
+ MIN_EFF_TTL: minimum DNS TTL of discovered targets: Default = 60
+ seconds
+
+ BACKOFF_TIME: if no conclusive DNS response was retrieved after
+ DNS_TIMEOUT, do not attempt dynamic discovery before BACKOFF_TIME
+ has elapsed: Default = 600 seconds
+
+3.3. Terms
+
+ Positive DNS response: A response that contains the RR that was
+ queried for.
+
+ Negative DNS response: A response that does not contain the RR that
+ was queried for but contains an SOA record along with a TTL
+ indicating cache duration for this negative result.
+
+
+
+
+
+Winter & McCauley Experimental [Page 16]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ DNS Error: Where the algorithm states "name resolution returns with
+ an error", this shall mean that either the DNS request timed out or
+ it is a DNS response, which is neither a positive nor a negative
+ response (e.g., SERVFAIL).
+
+ Effective TTL: The validity period for discovered RADIUS/TLS target
+ hosts. Calculated as: Effective TTL (set of DNS TTL values) = max {
+ MIN_EFF_TTL, min { DNS TTL values } }
+
+ SRV lookup: For the purpose of this specification, SRV lookup
+ procedures are defined as per [RFC2782] but excluding that RFCs "A"
+ fallback as defined in the "Usage Rules" section, final "else"
+ clause.
+
+ Greedy result evaluation: The NAPTR to SRV/A/AAAA resolution may lead
+ to a tree of results, whose leafs are the IP addresses to contact.
+ The branches of the tree are ordered according to their order/
+ preference DNS properties. An implementation is executing greedy
+ result evaluation if it uses a depth-first search in the tree along
+ the highest order results, attempts to connect to the corresponding
+ resulting IP addresses, and only backtracks to other branches if the
+ higher ordered results did not end in successful connection attempts.
+
+3.4. Realm to RADIUS Server Resolution Algorithm
+
+3.4.1. Input
+
+ For RADIUS Authentication and RADIUS Accounting server discovery,
+ input I to the algorithm is the RADIUS User-Name attribute with
+ content of the form "user@realm"; the literal "@" sign is the
+ separator between a local user identifier within a realm and its
+ realm. The use of multiple literal "@" signs in a User-Name is
+ strongly discouraged; but if present, the last "@" sign is to be
+ considered the separator. All previous instances of the "@" sign are
+ to be considered part of the local user identifier.
+
+ For RADIUS DynAuth server discovery, input I to the algorithm is the
+ domain name of the operator of a RADIUS realm as was communicated
+ during user authentication using the Operator-Name attribute
+ ([RFC5580], Section 4.1). Only Operator-Name values with the
+ namespace "1" are supported by this algorithm -- the input to the
+ algorithm is the actual domain name, preceded with an "@" (but
+ without the "1" namespace identifier byte of that attribute).
+
+ Note well: The attribute User-Name is defined to contain UTF-8 text.
+ In practice, the content may or may not be UTF-8. Even if UTF-8, it
+ may or may not map to a domain name in the realm part. Implementors
+ MUST take possible conversion error paths into consideration when
+
+
+
+Winter & McCauley Experimental [Page 17]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ parsing incoming User-Name attributes. This document describes
+ server discovery only for well-formed realms mapping to DNS domain
+ names in UTF-8 encoding. The result of all other possible contents
+ of User-Name is unspecified; this includes, but is not limited to:
+
+ Usage of separators other than "@".
+
+ Encoding of User-Name in local encodings.
+
+ UTF-8 realms that fail the conversion rules as per [RFC5891].
+
+ UTF-8 realms that end with a "." ("dot") character.
+
+ For the last bullet point, "trailing dot", special precautions should
+ be taken to avoid problems when resolving servers with the algorithm
+ below: they may resolve to a RADIUS server even if the peer RADIUS
+ server only is configured to handle the realm without the trailing
+ dot. If that RADIUS server again uses NAI discovery to determine the
+ authoritative server, the server will forward the request to
+ localhost, resulting in a tight endless loop.
+
+3.4.2. Output
+
+ Output O of the algorithm is a two-tuple consisting of: O-1) a set of
+ tuples {hostname; port; protocol; order/preference; Effective TTL} --
+ the set can be empty -- and O-2) an integer. If the set in the first
+ part of the tuple is empty, the integer contains the Effective TTL
+ for backoff timeout; if the set is not empty, the integer is set to 0
+ (and not used).
+
+3.4.3. Algorithm
+
+ The algorithm to determine the RADIUS server to contact is as
+ follows:
+
+ 1. Determine P = (position of last "@" character) in I.
+
+ 2. Generate R = (substring from P+1 to end of I).
+
+ 3. Modify R according to agreed consortium procedures if
+ applicable.
+
+ 4. Convert R to a representation usable by the name resolution
+ library if needed.
+
+ 5. Initialize TIMER = 0; start TIMER. If TIMER reaches
+ DNS_TIMEOUT, continue at step 20.
+
+
+
+
+Winter & McCauley Experimental [Page 18]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ 6. Using the host's name resolution library, perform a NAPTR query
+ for R (see "Delay Considerations", Section 3.4.5, below). If
+ the result is a negative DNS response, O-2 = Effective TTL ( TTL
+ value of the SOA record ) and continue at step 13. If name
+ resolution returns with error, O-1 = { empty set }, O-2 =
+ BACKOFF_TIME, and terminate.
+
+ 7. Extract NAPTR records with service tags "aaa+auth", "aaa+acct",
+ and "aaa+dynauth" as appropriate. Keep note of the protocol tag
+ and remaining TTL of each of the discovered NAPTR records.
+
+ 8. If no records are found, continue at step 13.
+
+ 9. For the extracted NAPTRs, perform successive resolution as
+ defined in [RFC3958], Section 2.2. An implementation MAY use
+ greedy result evaluation according to the NAPTR order/preference
+ fields (i.e., can execute the subsequent steps of this algorithm
+ for the highest-order entry in the set of results and only look
+ up the remainder of the set if necessary).
+
+ 10. If the set of hostnames is empty, O-1 = { empty set }, O-2 =
+ BACKOFF_TIME, and terminate.
+
+ 11. O' = (set of {hostname; port; protocol; order/preference;
+ Effective TTL ( all DNS TTLs that led to this hostname ) } for
+ all terminal lookup results).
+
+ 12. Proceed with step 18.
+
+ 13. Generate R' = (prefix R with "_radiustls._tcp." and/or
+ "_radiustls._udp.").
+
+ 14. Using the host's name resolution library, perform SRV lookup
+ with R' as label (see "Delay Considerations", Section 3.4.5,
+ below).
+
+ 15. If name resolution returns with error, O-1 = { empty set }, O-2
+ = BACKOFF_TIME, and terminate.
+
+ 16. If the result is a negative DNS response, O-1 = { empty set },
+ O-2 = min { O-2, Effective TTL ( TTL value of the SOA record )
+ }, and terminate.
+
+ 17. O' = (set of {hostname; port; protocol; order/preference;
+ Effective TTL ( all DNS TTLs that led to this result ) } for all
+ hostnames).
+
+
+
+
+
+Winter & McCauley Experimental [Page 19]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ 18. Generate O-1 by resolving hostnames in O' into corresponding A
+ and/or AAAA addresses: O-1 = (set of {IP address; port;
+ protocol; order/preference; Effective TTL ( all DNS TTLs that
+ led to this result ) } for all hostnames ), O-2 = 0.
+
+ 19. For each element in O-1, test if the original request that
+ triggered dynamic discovery was received on {IP address; port}.
+ If yes, O-1 = { empty set }, O-2 = BACKOFF_TIME, log error, and
+ terminate (see next section for a rationale). If no, O is the
+ result of dynamic discovery; terminate.
+
+ 20. O-1 = { empty set }, O-2 = BACKOFF_TIME, log error, and
+ terminate.
+
+3.4.4. Validity of Results
+
+ The discovery algorithm is used by servers that do not have
+ sufficient configuration information to process an incoming request
+ on their own. If the discovery algorithm result contains the
+ server's own listening address (IP address and port), then there is a
+ potential for an endless forwarding loop. If the listening address
+ is the DNS result with the highest priority, the server will enter a
+ tight loop (the server would forward the request to itself,
+ triggering dynamic discovery again in a perpetual loop). If the
+ address has a lower priority in the set of results, there is a
+ potential loop with intermediate hops in between (the server could
+ forward to another host with a higher priority, which might use DNS
+ itself and forward the packet back to the first server). The
+ underlying reason that enables these loops is that the server
+ executing the discovery algorithm is seriously misconfigured in that
+ it does not recognize the request as one that is to be processed by
+ itself. RADIUS has no built-in loop detection, so any such loops
+ would remain undetected. So, if step 18 of the algorithm discovers
+ such a possible-loop situation, the algorithm should be aborted and
+ an error logged. Note that this safeguard does not provide perfect
+ protection against routing loops. One reason that might introduce a
+ loop includes the possibility that a subsequent hop has a statically
+ configured next hop that leads to an earlier host in the loop.
+ Another reason for occurring loops is if the algorithm was executed
+ with greedy result evaluation, and the server's own address was in a
+ lower-priority branch of the result set that was not retrieved from
+ DNS at all, and thus can't be detected.
+
+ After executing the above algorithm, the RADIUS server establishes a
+ connection to a home server from the result set. This connection can
+ potentially remain open for an indefinite amount of time. This
+ conflicts with the possibility of changing device and network
+ configurations on the receiving end. Typically, TTL values for
+
+
+
+Winter & McCauley Experimental [Page 20]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ records in the name resolution system are used to indicate how long
+ it is safe to rely on the results of the name resolution. If these
+ TTLs are very low, thrashing of connections becomes possible; the
+ Effective TTL mitigates that risk. When a connection is open and the
+ smallest of the Effective TTL value that was learned during
+ discovering the server has not expired, subsequent new user sessions
+ for the realm that corresponds to that open connection SHOULD reuse
+ the existing connection and SHOULD NOT re-execute the discovery
+ algorithm nor open a new connection. To allow for a change of
+ configuration, a RADIUS server SHOULD re-execute the discovery
+ algorithm after the Effective TTL that is associated with this
+ connection has expired. The server SHOULD keep the session open
+ during this reassessment to avoid closure and immediate reopening of
+ the connection should the result not have changed.
+
+ Should the algorithm above terminate with O-1 = { empty set }, the
+ RADIUS server SHOULD NOT attempt another execution of this algorithm
+ for the same target realm before the timeout O-2 has passed.
+
+3.4.5. Delay Considerations
+
+ The host's name resolution library may need to contact outside
+ entities to perform the name resolution (e.g., authoritative name
+ servers for a domain), and since the NAI discovery algorithm is based
+ on uncontrollable user input, the destination of the lookups is out
+ of control of the server that performs NAI discovery. If such
+ outside entities are misconfigured or unreachable, the algorithm
+ above may need an unacceptably long time to terminate. Many RADIUS
+ implementations time out after five seconds of delay between Request
+ and Response. It is not useful to wait until the host name
+ resolution library signals a timeout of its name resolution
+ algorithms. The algorithm therefore controls execution time with
+ TIMER. Execution of the NAI discovery algorithm SHOULD be non-
+ blocking (i.e., allow other requests to be processed in parallel to
+ the execution of the algorithm).
+
+3.4.6. Example
+
+ Assume
+
+ a user from the Technical University of Munich, Germany, has a
+ RADIUS User-Name of "foobar@tu-m[U+00FC]nchen.example".
+
+ The name resolution library on the RADIUS forwarding server does
+ not have the realm tu-m[U+00FC]nchen.example in its forwarding
+ configuration but uses DNS for name resolution and has configured
+ the use of dynamic discovery to discover RADIUS servers.
+
+
+
+
+Winter & McCauley Experimental [Page 21]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ It is IPv6 enabled and prefers AAAA records over A records.
+
+ It is listening for incoming RADIUS/TLS requests on 192.0.2.1,
+ TCP/2083.
+
+ May the configuration variables be
+
+ DNS_TIMEOUT = 3 seconds
+
+ MIN_EFF_TTL = 60 seconds
+
+ BACKOFF_TIME = 3600 seconds
+
+ If DNS contains the following records
+
+ xn--tu-mnchen-t9a.example. IN NAPTR 50 50 "s"
+ "aaa+auth:radius.tls.tcp" "" _myradius._tcp.xn--tu-mnchen-
+ t9a.example.
+
+ xn--tu-mnchen-t9a.example. IN NAPTR 50 50 "s"
+ "fooservice:bar.dccp" "" _abc123._def.xn--tu-mnchen-t9a.example.
+
+ _myradius._tcp.xn--tu-mnchen-t9a.example. IN SRV 0 10 2083
+ radsecserver.xn--tu-mnchen-t9a.example.
+
+ _myradius._tcp.xn--tu-mnchen-t9a.example. IN SRV 0 20 2083
+ backupserver.xn--tu-mnchen-t9a.example.
+
+ radsecserver.xn--tu-mnchen-t9a.example. IN AAAA
+ 2001:0DB8::202:44ff:fe0a:f704
+
+ radsecserver.xn--tu-mnchen-t9a.example. IN A 192.0.2.3
+
+ backupserver.xn--tu-mnchen-t9a.example. IN A 192.0.2.7
+
+ Then the algorithm executes as follows, with I =
+ "foobar@tu-m[U+00FC]nchen.example", and no consortium name mangling
+ in use:
+
+ 1. P = 7
+
+ 2. R = "tu-m[U+00FC]nchen.example"
+
+ 3. NOOP
+
+ 4. Name resolution library converts R to xn--tu-mnchen-t9a.example
+
+ 5. TIMER starts.
+
+
+
+Winter & McCauley Experimental [Page 22]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ 6. Result:
+
+ (TTL = 47) 50 50 "s" "aaa+auth:radius.tls.tcp" ""
+ _myradius._tcp.xn--tu-mnchen-t9a.example.
+
+ (TTL = 522) 50 50 "s" "fooservice:bar.dccp" ""
+ _abc123._def.xn--tu-mnchen-t9a.example.
+
+ 7. Result:
+
+ (TTL = 47) 50 50 "s" "aaa+auth:radius.tls.tcp" ""
+ _myradius._tcp.xn--tu-mnchen-t9a.example.
+
+ 8. NOOP
+
+ 9. Successive resolution performs SRV query for label
+ _myradius._tcp.xn--tu-mnchen-t9a.example, which results in
+
+ (TTL 499) 0 10 2083 radsec.xn--tu-mnchen-t9a.example.
+
+ (TTL 2200) 0 20 2083 backup.xn--tu-mnchen-t9a.example.
+
+ 10. NOOP
+
+ 11. O' = {
+
+ (radsec.xn--tu-mnchen-t9a.example.; 2083; RADIUS/TLS; 10;
+ 60),
+
+ (backup.xn--tu-mnchen-t9a.example.; 2083; RADIUS/TLS; 20; 60)
+
+ } // minimum TTL is 47, upped to MIN_EFF_TTL
+
+ 12. Continuing at 18.
+
+ 13. (not executed)
+
+ 14. (not executed)
+
+ 15. (not executed)
+
+ 16. (not executed)
+
+ 17. (not executed)
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 23]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ 18. O-1 = {
+
+ (2001:0DB8::202:44ff:fe0a:f704; 2083; RADIUS/TLS; 10; 60),
+
+ (192.0.2.7; 2083; RADIUS/TLS; 20; 60)
+
+ }; O-2 = 0
+
+ 19. No match with own listening address; terminate with tuple (O-1,
+ O-2) from previous step.
+
+ The implementation will then attempt to connect to two servers, with
+ preference to [2001:0DB8::202:44ff:fe0a:f704]:2083 using the RADIUS/
+ TLS protocol.
+
+4. Operations and Manageability Considerations
+
+ The discovery algorithm as defined in this document contains several
+ options: the major ones are use of NAPTR vs. SRV; how to determine
+ the authorization status of a contacted server for a given realm; and
+ which trust anchors to consider trustworthy for the RADIUS
+ conversation setup.
+
+ Random parties that do not agree on the same set of options may not
+ be able to interoperate. However, such a global interoperability is
+ not intended by this document.
+
+ Discovery as per this document becomes important inside a roaming
+ consortium, which has set up roaming agreements with the other
+ partners. Such roaming agreements require much more than a technical
+ means of server discovery; there are administrative and contractual
+ considerations at play (service contracts, back-office compensations,
+ procedures, etc.).
+
+ A roaming consortium's roaming agreement must include a profile of
+ which choice points in this document to use. So as long as the
+ roaming consortium can settle on one deployment profile, they will be
+ able to interoperate based on that choice; this per-consortium
+ interoperability is the intended scope of this document.
+
+
+
+
+
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 24]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+5. Security Considerations
+
+ When using DNS without DNSSEC security extensions and validation for
+ all of the replies to NAPTR, SRV, and A/AAAA requests as described in
+ Section 3, the result of the discovery process can not be trusted.
+ Even if it can be trusted (i.e., DNSSEC is in use), actual
+ authorization of the discovered server to provide service for the
+ given realm needs to be verified. A mechanism from Section 2.1.1.3
+ or equivalent MUST be used to verify authorization.
+
+ The algorithm has a configurable completion timeout DNS_TIMEOUT
+ defaulting to three seconds for RADIUS' operational reasons. The
+ lookup of DNS resource records based on unverified user input is an
+ attack vector for DoS attacks: an attacker might intentionally craft
+ bogus DNS zones that take a very long time to reply (e.g., due to a
+ particularly byzantine tree structure or artificial delays in
+ responses).
+
+ To mitigate this DoS vector, implementations SHOULD consider rate
+ limiting either the amount of new executions of the discovery
+ algorithm as a whole or the amount of intermediate responses to
+ track, or at least the number of pending DNS queries.
+ Implementations MAY choose lower values than the default for
+ DNS_TIMEOUT to limit the impact of DoS attacks via that vector. They
+ MAY also continue their attempt to resolve DNS records even after
+ DNS_TIMEOUT has passed; a subsequent request for the same realm might
+ benefit from retrieving the results anyway. The amount of time spent
+ waiting for a result will influence the impact of a possible DoS
+ attack; the waiting time value is implementation dependent and
+ outside the scope of this specification.
+
+ With dynamic discovery being enabled for a RADIUS server, and
+ depending on the deployment scenario, the server may need to open up
+ its target IP address and port for the entire Internet because
+ arbitrary clients may discover it as a target for their
+ authentication requests. If such clients are not part of the roaming
+ consortium, the RADIUS/TLS connection setup phase will fail (which is
+ intended), but the computational cost for the connection attempt is
+ significant. When the port for a TLS-based service is open, the
+ RADIUS server shares all the typical attack vectors for services
+ based on TLS (such as HTTPS and SMTPS). Deployments of RADIUS/TLS
+ with dynamic discovery should consider these attack vectors and take
+ appropriate countermeasures (e.g., blacklisting known bad IPs on a
+ firewall, rate limiting new connection attempts, etc.).
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 25]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+6. Privacy Considerations
+
+ The classic RADIUS operational model (known, preconfigured peers,
+ shared secret security, and mostly plaintext communication) and this
+ new RADIUS dynamic discovery model (peer discovery with DNS, PKI
+ security, and packet confidentiality) differ significantly in their
+ impact on the privacy of end users trying to authenticate to a RADIUS
+ server.
+
+ With classic RADIUS, traffic in large environments gets aggregated by
+ statically configured clearinghouses. The packets sent to those
+ clearinghouses and their responses are mostly unprotected. As a
+ consequence,
+
+ o All intermediate IP hops can inspect most of the packet payload in
+ clear text, including the User-Name and Calling-Station-Id
+ attributes, and can observe which client sent the packet to which
+ clearinghouse. This allows the creation of mobility profiles for
+ any passive observer on the IP path.
+
+ o The existence of a central clearinghouse creates an opportunity
+ for the clearinghouse to trivially create the same mobility
+ profiles. The clearinghouse may or may not be trusted not to do
+ this, e.g., by sufficiently threatening contractual obligations.
+
+ o In addition to that, with the clearinghouse being a RADIUS
+ intermediate in possession of a valid shared secret, the
+ clearinghouse can observe and record even the security-critical
+ RADIUS attributes such as User-Password. This risk may be
+ mitigated by choosing authentication payloads that are
+ cryptographically secured and do not use the attribute User-
+ Password -- such as certain EAP types.
+
+ o There is no additional information disclosure to parties outside
+ the IP path between the RADIUS client and server (in particular,
+ no DNS servers learn about realms of current ongoing
+ authentications).
+
+ With RADIUS and dynamic discovery,
+
+ o This protocol allows for RADIUS clients to identify and directly
+ connect to the RADIUS home server. This can eliminate the use of
+ clearinghouses to do forwarding of requests, and it also
+ eliminates the ability of the clearinghouse to then aggregate the
+ user information that flows through it. However, there are
+ reasons why clearinghouses might still be used. One reason to
+ keep a clearinghouse is to act as a gateway for multiple backends
+
+
+
+
+Winter & McCauley Experimental [Page 26]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ in a company; another reason may be a requirement to sanitize
+ RADIUS datagrams (filter attributes, tag requests with new
+ attributes, etc.).
+
+ o Even where intermediate proxies continue to be used for reasons
+ unrelated to dynamic discovery, the number of such intermediates
+ may be reduced by removing those proxies that are only deployed
+ for pure request routing reasons. This reduces the number of
+ entities that can inspect the RADIUS traffic.
+
+ o RADIUS clients that make use of dynamic discovery will need to
+ query the Domain Name System and use a user's realm name as the
+ query label. A passive observer on the IP path between the RADIUS
+ client and the DNS server(s) being queried can learn that a user
+ of that specific realm was trying to authenticate at that RADIUS
+ client at a certain point in time. This may or may not be
+ sufficient for the passive observer to create a mobility profile.
+ During the recursive DNS resolution, a fair number of DNS servers
+ and the IP hops in between those get to learn that information.
+ Not every single authentication triggers DNS lookups, so there is
+ no one-to-one relation of leaked realm information and the number
+ of authentications for that realm.
+
+ o Since dynamic discovery operates on a RADIUS hop-by-hop basis,
+ there is no guarantee that the RADIUS payload is not transmitted
+ between RADIUS systems that do not make use of this algorithm, and
+ they possibly use other transports such as RADIUS/UDP. On such
+ hops, the enhanced privacy is jeopardized.
+
+ In summary, with classic RADIUS, few intermediate entities learn very
+ detailed data about every ongoing authentication, while with dynamic
+ discovery, many entities learn only very little about recently
+ authenticated realms.
+
+7. IANA Considerations
+
+ Per this document, IANA has added the following entries in existing
+ registries:
+
+ o S-NAPTR Application Service Tags registry
+
+ * aaa+auth
+
+ * aaa+acct
+
+ * aaa+dynauth
+
+
+
+
+
+Winter & McCauley Experimental [Page 27]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ o S-NAPTR Application Protocol Tags registry
+
+ * radius.tls.tcp
+
+ * radius.dtls.udp
+
+ This document reserves the use of the "radiustls" and "radiusdtls"
+ service names. Registration information as per Section 8.1.1 of
+ [RFC6335] is as follows:
+
+ Service Name: radiustls; radiusdtls
+
+ Transport Protocols: TCP (for radiustls), UDP (for radiusdtls)
+
+ Assignee: IESG <iesg@ietf.org>
+
+ Contact: IETF Chair <chair@ietf.org>
+
+ Description: Authentication, Accounting, and Dynamic Authorization
+ via the RADIUS protocol. These service names are used to
+ construct the SRV service labels "_radiustls" and "_radiusdtls"
+ for discovery of RADIUS/TLS and RADIUS/DTLS servers, respectively.
+
+ Reference: RFC 7585
+
+ This specification makes use of the SRV protocol identifiers "_tcp"
+ and "_udp", which are mentioned as early as [RFC2782] but do not
+ appear to be assigned in an actual registry. Since they are in
+ widespread use in other protocols, this specification refrains from
+ requesting a new registry "RADIUS/TLS SRV Protocol Registry" and
+ continues to make use of these tags implicitly.
+
+ Per this document, a number of Object Identifiers have been assigned.
+ They are now under the control of IANA following [RFC7299].
+
+ IANA has assigned the following identifiers:
+
+ 85 has been assigned from the "SMI Security for PKIX Module
+ Identifier" registry. The description is id-mod-nai-realm-08.
+
+ 8 has been assigned from the "SMI Security for PKIX Other Name
+ Forms" registry. The description is id-on-naiRealm.
+
+
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 28]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+8. References
+
+8.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
+ specifying the location of services (DNS SRV)", RFC 2782,
+ DOI 10.17487/RFC2782, February 2000,
+ <http://www.rfc-editor.org/info/rfc2782>.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, DOI 10.17487/RFC2865, June 2000,
+ <http://www.rfc-editor.org/info/rfc2865>.
+
+ [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866,
+ DOI 10.17487/RFC2866, June 2000,
+ <http://www.rfc-editor.org/info/rfc2866>.
+
+ [RFC3958] Daigle, L. and A. Newton, "Domain-Based Application
+ Service Location Using SRV RRs and the Dynamic Delegation
+ Discovery Service (DDDS)", RFC 3958, DOI 10.17487/RFC3958,
+ January 2005, <http://www.rfc-editor.org/info/rfc3958>.
+
+ [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
+ Aboba, "Dynamic Authorization Extensions to Remote
+ Authentication Dial In User Service (RADIUS)", RFC 5176,
+ DOI 10.17487/RFC5176, January 2008,
+ <http://www.rfc-editor.org/info/rfc5176>.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
+ <http://www.rfc-editor.org/info/rfc5280>.
+
+ [RFC5580] Tschofenig, H., Ed., Adrangi, F., Jones, M., Lior, A., and
+ B. Aboba, "Carrying Location Objects in RADIUS and
+ Diameter", RFC 5580, DOI 10.17487/RFC5580, August 2009,
+ <http://www.rfc-editor.org/info/rfc5580>.
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 29]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+ [RFC5891] Klensin, J., "Internationalized Domain Names in
+ Applications (IDNA): Protocol", RFC 5891,
+ DOI 10.17487/RFC5891, August 2010,
+ <http://www.rfc-editor.org/info/rfc5891>.
+
+ [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga,
+ "Transport Layer Security (TLS) Encryption for RADIUS",
+ RFC 6614, DOI 10.17487/RFC6614, May 2012,
+ <http://www.rfc-editor.org/info/rfc6614>.
+
+ [RFC7360] DeKok, A., "Datagram Transport Layer Security (DTLS) as a
+ Transport Layer for RADIUS", RFC 7360,
+ DOI 10.17487/RFC7360, September 2014,
+ <http://www.rfc-editor.org/info/rfc7360>.
+
+ [RFC7542] DeKok, A., "The Network Access Identifier", RFC 7542,
+ DOI 10.17487/RFC7542, May 2015,
+ <http://www.rfc-editor.org/info/rfc7542>.
+
+8.2. Informative References
+
+ [RFC4017] Stanley, D., Walker, J., and B. Aboba, "Extensible
+ Authentication Protocol (EAP) Method Requirements for
+ Wireless LANs", RFC 4017, DOI 10.17487/RFC4017, March
+ 2005, <http://www.rfc-editor.org/info/rfc4017>.
+
+ [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
+ Cheshire, "Internet Assigned Numbers Authority (IANA)
+ Procedures for the Management of the Service Name and
+ Transport Protocol Port Number Registry", BCP 165,
+ RFC 6335, DOI 10.17487/RFC6335, August 2011,
+ <http://www.rfc-editor.org/info/rfc6335>.
+
+ [RFC6733] Fajardo, V., Ed., Arkko, J., Loughney, J., and G. Zorn,
+ Ed., "Diameter Base Protocol", RFC 6733,
+ DOI 10.17487/RFC6733, October 2012,
+ <http://www.rfc-editor.org/info/rfc6733>.
+
+ [RFC7299] Housley, R., "Object Identifier Registry for the PKIX
+ Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014,
+ <http://www.rfc-editor.org/info/rfc7299>.
+
+ [RFC7593] Wierenga, K., Winter, S., and T. Wolniewicz, "The eduroam
+ Architecture for Network Roaming", RFC 7593,
+ DOI 10.17487/RFC7593, September 2015,
+ <http://www.rfc-editor.org/info/rfc7593>.
+
+
+
+
+
+Winter & McCauley Experimental [Page 30]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+Appendix A. ASN.1 Syntax of NAIRealm
+
+PKIXNaiRealm08 {iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-nai-realm-08(85) }
+
+ DEFINITIONS EXPLICIT TAGS ::=
+
+ BEGIN
+
+ -- EXPORTS ALL --
+
+ IMPORTS
+
+ id-pkix
+ FROM PKIX1Explicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-explicit-02(51)}
+ -- from RFCs 5280 and 5912
+
+ OTHER-NAME
+ FROM PKIX1Implicit-2009
+ {iso(1) identified-organization(3) dod(6) internet(1) security(5)
+ mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
+ -- from RFCs 5280 and 5912
+ ;
+
+
+ -- Service Name Object Identifier
+
+ id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
+
+ id-on-naiRealm OBJECT IDENTIFIER ::= { id-on 8 }
+
+ -- Service Name
+
+ naiRealm OTHER-NAME ::= { NAIRealm IDENTIFIED BY { id-on-naiRealm }}
+
+ ub-naiRealm-length INTEGER ::= 255
+
+ NAIRealm ::= UTF8String (SIZE (1..ub-naiRealm-length))
+
+ END
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 31]
+
+RFC 7585 RADIUS Peer Discovery October 2015
+
+
+Authors' Addresses
+
+ Stefan Winter
+ Fondation RESTENA
+ 6, rue Richard Coudenhove-Kalergi
+ Luxembourg 1359
+ Luxembourg
+
+ Phone: +352 424409 1
+ Fax: +352 422473
+ Email: stefan.winter@restena.lu
+ URI: http://www.restena.lu
+
+
+ Mike McCauley
+ AirSpayce Pty Ltd
+ 9 Bulbul Place
+ Currumbin Waters QLD 4223
+ Australia
+
+ Phone: +61 7 5598 7474
+ Email: mikem@airspayce.com
+ URI: http://www.airspayce.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Winter & McCauley Experimental [Page 32]
+