19-1©2007 Raj JainCSE571SWashington University in St. LouisPart IIPart IIRaj Jain Washington University in Saint LouisSaint Louis, MO [email protected]/Video recordings of this lecture are available at:http://www.cse.wustl.edu/~jain/cse571-07/19-2©2007 Raj JainCSE571SWashington University in St. LouisOverviewOverview TACACS, TACACS+ RADIUS, Packet Format, Accounting Problems with RADIUS Diameter Base Protocol AAA Transport Profile AAA Key Management Principles19-3©2007 Raj JainCSE571SWashington University in St. LouisTACACSTACACS Terminal Access Controller Access-Control System Routing nodes in ARPAnet were called IMPS. IMPs with dial up access were called TIPs. BBN developed TACACS for ARPANET AAA server is a process in a UNIX server - called TACACS daemon. Uses UDP port 49 Username and passwords were sent in clear for authentication⇒ No longer used Cisco adopted TACACS for terminal servers extended TACACS or XTACACS19-4©2007 Raj JainCSE571SWashington University in St. LouisTACACS+TACACS+ Terminal Access Controller Access-Control System Plus Cisco's further improved version of TACACS and XTACACS Not compatible with TACACS Payload is encrypted Described in draft-grant-tacacs-02.txt, Jan 1997. Uses TCP port 4919-5©2007 Raj JainCSE571SWashington University in St. LouisRADIUSRADIUS RFC 2138, June 2000 UDP port 1812 Why UDP?¾ In case of server failure, the request must be re-sent to backup ⇒ Application level retransmission required¾ TCP takes to long to indicate failure¾ Stateless protocol19-6©2007 Raj JainCSE571SWashington University in St. LouisRADIUS Packet FormatRADIUS Packet FormatCodes:1 = Access Request2 = Access Accept3 = Access Reject4 = Accounting request5 = Accounting Response11 = Access Challenge12 = Server Status (experimental)13 = Client Status (Experimental)255 = ReservedCode Identifier Length Authenticator Attributes1B 1B 2B 16B19-7©2007 Raj JainCSE571SWashington University in St. LouisRADIUS Packet Format (Cont)RADIUS Packet Format (Cont) 16B Authenticator is used to authenticate the reply from the RADIUS server In Access-request packets 16B random number is send as authenticator Password in packet = MD5(Shared secret | authenticator) ⊕ password Response Authenticator= MD5(Code|ID|Length|Request Auth|Attributes| Shared secret) All attributes are TLV encoded.19-8©2007 Raj JainCSE571SWashington University in St. LouisRADIUS AccountingRADIUS Accounting RFC 2866, June 2000 Client sends to the server:¾ Accounting Start Packet at service beginning¾ Accounting Stop Packet at end All packets are acked by the server Packet format same as in authentication19-9©2007 Raj JainCSE571SWashington University in St. LouisRADIUS Server ImplementationsRADIUS Server ImplementationsPublic domain software implementations: FreeRADIUS GNU RADIUS JRadius OpenRADIUS Cistron RADIUS BSDRadius TekRADIUS19-10©2007 Raj JainCSE571SWashington University in St. LouisProblems with RADIUSProblems with RADIUS Does not define standard failover mechanism ⇒ varying implementations Original RADIUS defines integrity only for response packets RADIUS extensions define integrity for EAP sessions Does not support per-packet confidentiality Billing replay protection is assumed in server. Not provided by protocol. IPsec is optional Runs on UDP ⇒ Reliability varies between implementation. Billing packet loss may result in revenue loss. RADIUS does not define expected behavior for proxies, redirects, and relays ⇒ No standard for proxy chaining19-11©2007 Raj JainCSE571SWashington University in St. LouisProblems with RADIUS (Cont)Problems with RADIUS (Cont) Does not allow server initiated messages ⇒ No On-demand authentication and unsolicited disconnect Does not define data object security mechanism ⇒ Untrusted proxies can modify attributes Does not support error messages Does not support capability negotiation No mandatory/non-mandatory flag for attributes Servers name/address should be manually configured in clients ⇒ Administrative burden ⇒ Temptation to reuse shared secrets19-12©2007 Raj JainCSE571SWashington University in St. LouisDiameter Base ProtocolDiameter Base Protocol RFC 3588, Sep 2003 Defines standard failover algorithm Runs over TCP and Stream Control Transmission Protocol (SCTP) PDU format incompatible with RADIUS Can co-exist with RADIUS in the same network Supports:¾ Delivery of attribute-value pairs (AVPs)¾ Capability negotiation¾ Error notification¾ Ability to add new commands and AVPs¾ Discovery of servers via DNS¾ Dynamic session key derivation via TLS19-13©2007 Raj JainCSE571SWashington University in St. LouisDiameter Base Protocol (Cont)Diameter Base Protocol (Cont) All data is delivered in the form of AVPs AVPs have mandatory/non-mandatory bit Peer-to-peer protocol ⇒ any node can initiate request. Documents: Base, transport profile, applications Applications: NAS, Mobile IP, Credit control (pre-paid, post-paid, credit-debit), 3G, EAP, SIP19-14©2007 Raj JainCSE571SWashington University in St. LouisAAA Transport ProfileAAA Transport Profile RFC 3539, June 2003 Network Access Identifier (NAI) = User ID Application driven vs. network driven: Network is not the bottleneck for AAA messages ⇒ Application driven. No congestion issues. Slow Failover: TCP time outs ⇒ slow Use of Nagle Algorithm: Many AAA messages are combined in one TCP message Multiple Connections: Max 256 requests in progress between a client and a server Duplicate Detection: Servers and clients recognize duplicate request or responses and discard them. ¾ A single request when duplicated can result in success and failure responses.19-15©2007 Raj JainCSE571SWashington University in St. LouisAAA Transport Profile (Cont)AAA Transport Profile (Cont) Invalidation of Transport Parameter Estimates: Timeouts should account for network congestion Inability to use fast re-transmit: most AAA protocols are always close to initial window set to 1 or 2 Congestion Avoidance: Delayed Acks: application driven ⇒ explicit acks Premature failover: some implementation switch to backup server prematurely Head of line blocking: TCP queue may build up after a packet loss ⇒ hold up other AAA requests on the same connection Connection load balancing:19-16©2007