Part II. Raj Jain. Washington University in St. Louis

Similar documents
Computer Networks II, advanced networking

TSIN02 - Internetworking

AAA Working Group Pat R. Calhoun

REMOTE AUTHENTICATION DIAL IN USER SERVICE

RADIUS - QUICK GUIDE AAA AND NAS?

Table of Contents. Diameter Base Protocol -- Pocket Guide 1

TSIN02 - Internetworking

RESTCOMMONE. jdiameter. Copyright All Rights Reserved Page 2

TSIN02 - Internetworking

Diameter. Term Paper Seminar in Communication Systems. Author: Christian Schulze Student ID: Date: February 4, 2003 Tutor: Martin Gutbrod

Configuring Security for the ML-Series Card

Overview of Authentication Systems

Diameter Copyright Ericsson AB. All Rights Reserved. Diameter 1.7 June 23, 2014

Overview. RADIUS Protocol CHAPTER

Network Working Group Request for Comments: D. Mitton RSA, Security Division of EMC B. Aboba Microsoft Corporation January 2008

Diameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026.

Key Management and Distribution

Network Security. Rev 1.0.

Configuring RADIUS and TACACS+ Servers

Radius, LDAP, Radius used in Authenticating Users

Secure Network Access Authentication (SeNAA)

Mobile IPv6. Washington University in St. Louis

Wireless Network Security

Wireless LAN Security. Gabriel Clothier

Configuring RADIUS Servers

Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5

Network Access Flows APPENDIXB

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Topics in Computer Networking Switch SS7 PSTN/ISDN. Gatekeeper/ Proxy Server. Topics in Computer Networking Н.

Objective. Performance. Availability. Cost. A good network citizen

Configuring Internet Key Exchange Security Protocol

MIP4 Working Group. Generic Notification Message for Mobile IPv4 draft-ietf-mip4-generic-notification-message-16

An SCTP-Protocol Data Unit with several chunks

Open Diameter Conformance Testing

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Table of Contents 1 AAA Overview AAA Configuration 2-1

RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values

Mobile IPv6. Raj Jain. Washington University in St. Louis

Configuring Security Features on an External AAA Server

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

Transport Protocols. Raj Jain. Washington University in St. Louis

Configuring RADIUS and TACACS+

Configuring Security on the GGSN

TCP/IP Protocol Suite 1

HP Unified Wired-WLAN Products

RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values

Implementing Secure Shell

Mobility support in RADIUS and Diameter

MCSA Guide to Networking with Windows Server 2016, Exam

Network security session 9-2 Router Security. Network II

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER

Configuring IEEE 802.1X Port-Based Authentication

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Configuring the Management Interface and Security

Table of Contents 1 AAA Overview AAA Configuration 2-1

Merit Network, Incorporated Bernard Aboba Microsoft March 1997

Lecture 3.1: Handling Remote Access: RADIUS

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

This chapter includes the following sections: Overview, on page 1 How Proxy Mobile IP Works in 3GPP Network, on page 11

Overview, page 1 How Proxy Mobile IP Works in 3GPP Network, page 10

Network Working Group. Intended status: Standards Track. January 15, 2010

Does current Internet Transport work over Wireless? Reviewing the status of IETF work in this area

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Firewalls, Tunnels, and Network Intrusion Detection

HP Instant Support Enterprise Edition (ISEE) Security overview

Data Structure Mapping

Request for Comments: Toshiba B. Patil H. Tschofenig Nokia Siemens Networks A. Yegin Samsung May 2008

Data Structure Mapping

Data Structure Mapping

PANA applicability in constrained environments

RADIUS Attributes Overview and RADIUS IETF Attributes

SIP Compliance APPENDIX

Configuring Switch-Based Authentication

Installation & Configuration Guide Version 4.0

Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T

802.1x Configuration. FSOS 802.1X Configuration

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

SA2, 3GPP/IETF (Ileana Leuca) Title: LS to clarify protocol requirement differences identified in December 2000 AAA meeting presentation.

Stream Control Transmission Protocol

Virtual Private Networks (VPNs)

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

CSC 4900 Computer Networks: Security Protocols (2)

Configuring Authentication, Authorization, and Accounting

Kerberos V5. Raj Jain. Washington University in St. Louis

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

Configuring SSL. SSL Overview CHAPTER

AAA LDAP Configuration Guide, Cisco IOS Release 15M&T

Configuring Request Authentication and Authorization

Configuring SSL. SSL Overview CHAPTER

Virtual Private Network

FA Service Configuration Mode Commands

802.1x Configuration. Page 1 of 11

Configuring Virtual Servers

IPSec implementation for SCTP

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Outline. History Introduction Packets Association/ Termination Data Transmission concepts Multihoming Streams

CASP Cross- Application Signaling Protocol

IPSec Network Applications

Transcription:

Part II Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/ 19-1

Overview TACACS, TACACS+ RADIUS, Packet Format, Accounting Problems with RADIUS Diameter Base Protocol AAA Transport Profile AAA Key Management Principles 19-2

TACACS Terminal Access Controller Access-Control System Routing nodes in ARPAnet were called IMPS. IMPs with dial up access were called TIPs. BBN developed TACACS for ARPANET AAA server is a process in a UNIX server - called TACACS daemon. Uses UDP port 49 Username and passwords were sent in clear for authentication No longer used Cisco adopted TACACS for terminal servers extended TACACS or XTACACS 19-3

TACACS+ Terminal Access Controller Access-Control System Plus Cisco's further improved version of TACACS and XTACACS Not compatible with TACACS Payload is encrypted Described in draft-grant-tacacs-02.txt, Jan 1997. Uses TCP port 49 19-4

RFC 2138, June 2000 UDP port 1812 Why UDP? RADIUS In case of server failure, the request must be re-sent to backup Application level retransmission required TCP takes to long to indicate failure Stateless protocol 19-5

RADIUS Packet Format Code Identifier Length Authenticator Attributes 1B 1B 2B 16B Codes: 1 = Access Request 2 = Access Accept 3 = Access Reject 4 = Accounting request 5 = Accounting Response 11 = Access Challenge 12 = Server Status (experimental) 13 = Client Status (Experimental) 255 = Reserved 19-6

RADIUS Packet Format (Cont) 16B Authenticator is used to authenticate the reply from the RADIUS server In Access-request packets 16B random number is send as authenticator Password in packet = MD5(Shared secret authenticator) password Response Authenticator = MD5(Code ID Length Request Auth Attributes Shared secret) All attributes are TLV encoded. 19-7

RFC 2866, June 2000 RADIUS Accounting Client sends to the server: Accounting Start Packet at service beginning Accounting Stop Packet at end All packets are acked by the server Packet format same as in authentication 19-8

RADIUS Server Implementations Public domain software implementations: FreeRADIUS GNU RADIUS JRadius OpenRADIUS Cistron RADIUS BSDRadius TekRADIUS 19-9

Problems with RADIUS Does not define standard failover mechanism varying implementations Original RADIUS defines integrity only for response packets RADIUS extensions define integrity for EAP sessions Does not support per-packet confidentiality Billing replay protection is assumed in server. Not provided by protocol. IPsec is optional Runs on UDP Reliability varies between implementation. Billing packet loss may result in revenue loss. RADIUS does not define expected behavior for proxies, redirects, and relays No standard for proxy chaining 19-10

Problems with RADIUS (Cont) Does not allow server initiated messages No On-demand authentication and unsolicited disconnect Does not define data object security mechanism Untrusted proxies can modify attributes Does not support error messages Does not support capability negotiation No mandatory/non-mandatory flag for attributes Servers name/address should be manually configured in clients Administrative burden Temptation to reuse shared secrets 19-11

RFC 3588, Sep 2003 Diameter Base Protocol Defines standard failover algorithm Runs over TCP and Stream Control Transmission Protocol (SCTP) PDU format incompatible with RADIUS Can co-exist with RADIUS in the same network Supports: Delivery of attribute-value pairs (AVPs) Capability negotiation Error notification Ability to add new commands and AVPs Discovery of servers via DNS Dynamic session key derivation via TLS 19-12

Diameter Base Protocol (Cont) All data is delivered in the form of AVPs AVPs have mandatory/non-mandatory bit Peer-to-peer protocol any node can initiate request. Documents: Base, transport profile, applications Applications: NAS, Mobile IP, Credit control (prepaid, post-paid, credit-debit), 3G, EAP, SIP 19-13

RFC 3539, June 2003 AAA Transport Profile Network Access Identifier (NAI) = User ID Application driven vs. network driven: Network is not the bottleneck for AAA messages Application driven. No congestion issues. Slow Failover: TCP time outs slow Use of Nagle Algorithm: Many AAA messages are combined in one TCP message Multiple Connections: Max 256 requests in progress between a client and a server Duplicate Detection: Servers and clients recognize duplicate request or responses and discard them. A single request when duplicated can result in success and failure responses. 19-14

AAA Transport Profile (Cont) Invalidation of Transport Parameter Estimates: Timeouts should account for network congestion Inability to use fast re-transmit: most AAA protocols are always close to initial window set to 1 or 2 Congestion Avoidance: Delayed Acks: application driven explicit acks Premature failover: some implementation switch to backup server prematurely Head of line blocking: TCP queue may build up after a packet loss hold up other AAA requests on the same connection Connection load balancing: 19-15

AAA Key Management Principles RFC 4962, July 2007 (Housley Criteria) Ability to negotiate crypto algorithms Support multiple algorithm Ability to negotiate key derivation function is not required At least one suite of mandatory algorithms must be selected Use strong fresh session keys. Session keys must not be dependent on one another Knowing a session key, Can t find another session key Use nonce to ensure each session key is fresh. Include replay detection mechanism Authenticate all parties Lower layer identifiers used for authorization should be authenticated 19-16

AAA Key Management Principles (Cont) Both peer and authenticator must be authorized Detect unauthorized authenticator Peer, Authenticator, Authentication server should have a common view of authorizations Cipher suite selection should be securely confirmed detect roll-back attacks All keys should be uniquely named and key name should disclose key value Prevent domino effect Compromise of a single entity must not compromise key material at other entities in other branches (may compromise children entities) Bind key to its context: use, who has access, life time. All entities with access to keying material should have the same context. 19-17

Summary TACACS and TACACS+ are legacy AAA protocols RADIUS provides good security but lacks sophisticated mechanisms required for failover Diameter is a replacement for RADIUS. Fixes most known shortcomings of RADIUS. 19-18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback