It may be frustrating to have
to employ workarounds to inherent deficiencies in the RADIUS
protocol. As informed, knowledgeable RADIUS users (and you are
knowledgeable now that you are reading this book), we need to push
for a protocol revision. Joshua Hill, of InfoGard Laboratories,
eloquently makes a case for a revision in the following mini-essay.
So, why attempt to modify RADIUS at all? Why not just go to another
(presumably more modern and more secure) protocol? Well, for the most
part, the answer is, "because such a protocol
doesn't currently exist." In the
near future, however, Diameter is likely to be released by the IETF.
Diameter is the planned RADIUS replacement. The great majority of all
the protocol work that has gone into Diameter has been directed at
removing some of the functional limitations imposed by the RADIUS
protocol. Effectively, no work has been done that relates to the
client/server security of the protocol. (CMS is defined, but this is
a security layer for the proxy to proxy interaction, not the client
to proxy/server interaction.)
So, does this mean that they continue to use even
RADIUS' ad hoc system? No: they removed all security
functionality from the protocol. In essence, the developers did the
protocol designer's equivalent of punting. Section
2.2 of the current Diameter protocol spec says:
"Diameter clients, such as Network Access
Servers (NASes) and Foreign Agents MUST support IP Security, and MAY
support TLS. Diameter servers MUST support TLS, but the administrator
MAY opt to configure IPSec instead of using TLS. Operating the
Diameter protocol without any security mechanism is not
So, IPSec and/or TLS handle all security aspects of the protocol.
From a security aspect, this strikes me as a very good idea. Both
IPSec and TLS are fully featured (sometimes too fully featured)
protocols that many people have reviewed. That's
already much better than RADIUS ever did.
Examining this from a slightly different angle gives me some cause
for concern, however. It strikes me that the overhead imposed by a
full TLS/IPSec implementation is very significant for many
current-day embedded devices. This would seem to indicate that (at
least in the near future) manufactures are going to either continue
to use RADIUS or ignore the Diameter standard and perform Diameter
without TLS or IPSec.
Because of this, I suspect that it would be advantageous to
push for at least minimal RADIUS protocol revision.