[EXTERNAL] Re: [EXT] Multiple NAS clients within same network

Winfield, Alister (Senior Solutions Architect) Alister.Winfield at sky.uk
Tue Oct 4 20:04:11 UTC 2022


How about RADIUS over QUIC I’m guessing RADIUS would lend itself more to the UDP transport. If I had the time I’d steal the DNS over QUIC work and err create the same thing for RADIUS.

A.

From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Date: Tuesday, 4 October 2022 at 19:24
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: [EXTERNAL] Re: [EXT] Multiple NAS clients within same network
On Oct 4, 2022, at 1:39 PM, Brian Julin <BJulin at clarku.edu> wrote:
>
> Alan DeKok <aland at deployingradius.com> wrote:
>> Use RADIUS over TLS.  It solves this problem, and is secure.
>> I have a document which I will be working through the IETF as a new RADIUS standard.  It will officially deprecate RADIUS/UDP, and require TLS transport for most situations.
>> The document will also explain just how bad an idea it is to run RADIUS/UDP over the Internet.  Do you like people breaking all of your security?  No?
>> Then don't run RADIUS/UDP over the Internet.
>
> That surely cannot be emphasized enough.  It's surprising people do it.

  I just submitted a document to the IETF:

https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-dekok-radext-deprecating-radius-00&data=05%7C01%7Calister.winfield%40sky.uk%7Ca85abcd1e2f74d92f7d808daa6358d11%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C638005046766666836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FedMlXrDPP4l79kYzfwonR6OgR4NFdag885zjWVlWfE%3D&reserved=0

  And wrote an article on it:

https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnetworkradius.com%2Farticles%2F2022%2F10%2F04%2Fradius-insecurity.html&data=05%7C01%7Calister.winfield%40sky.uk%7Ca85abcd1e2f74d92f7d808daa6358d11%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C638005046766666836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gWbY5TAR3d4mo9dfPrC2fB2JVDksHCt1tKHYiaPjzGo%3D&reserved=0


  From the IETF document:

4.  All short Shared Secrets have been compromised

   Unless RADIUS packets are sent over a secure network (IPSec, TLS,
   etc.), administrators should assume that any shared secret of 8
   characters or less has been immediately compromised.  Administrators
   should assume that any shared secret of 10 characters or less has
   been compromised by an attacker with significant resources.
   Administrators should also assume that any private information (such
   as User-Password) which depends on such shared secrets has also been
   compromised.

   Further, if a User-Password has been sent over the Internet via
   RADIUS/UDP or RADIUS/TCP in the last decade, you should assume that
   password has been compromised by an attacker with sufficient
   resources.
-
List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Calister.winfield%40sky.uk%7Ca85abcd1e2f74d92f7d808daa6358d11%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C638005046766666836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HBfuZvlq25r8QvJd4%2BuBRxAplnaJfOVOnAw%2FrjZ798M%3D&reserved=0
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing at sky.uk. Thank you
--------------------------------------------------------------------
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD


More information about the Freeradius-Users mailing list