Archive for March, 2007

Securing the server source

Saturday, March 31st, 2007

There hasn't been a security problem with the server in over a year (barely). That's good, but we'd like it to be better. Therefore, we've started working with Coverity, makers of source code analysis tools. They host an open source scanning site, and have recently added FreeRADIUS to the mix.

The announcement came as part of their one-year anniversary of scanning open source projects. The bad news is that they found bugs, which is not entirely surprising. The good news is that none of the bugs have security implications, and that we're working on fixing all of them.

The goal is to have Coverity show a scan result of zero bugs before 1.1.6 is released. We'd like to get a “pre-scan” of 2.0, so that it also has zero bugs. This doesn't mean that the server will be bug-free, as there may still be logic errors in the code. What it does mean is that there should be no security bugs in the server.

AAA is becoming ubiquitous

Wednesday, March 21st, 2007

I'm at IETF 68 in Prague. I'm sure Prague is a nice city, but I'm not seeing much more than the conference hotel, and a few local watering holes. I always liked the move “Kafka”, and wanted to go see the sites where various scenes were shot. Maybe next time.

The IETF meetings, though, are enlightening. I haven't been following many standards groups, but when I sit in on the meeting rooms, I noticed that AAA was everywhere. And most of it was RADIUS.

I think the network is at the point where network protocols are converging. In order to do anything in an authenticated, accounted, secure, manner, there's a minimum set of things that have to be done. The result is that it seems most protocols now include references to other protocols to enable this, that, or the other thing. (Sort of like my RADIUS + DTLS draft, which proposes to solve the RADIUS cryptography problems by using TLS.)

The wide-spread use of AAA means I'll have to follow more working groups, and do so in more detail. What impact this has on my free time is yet to be determined.

The good news is that I'm finding more time to work on the book, and on FreeRADIUS. I'm now targetting the book at Version 2.0, with the idea of releasing the book shortly after Version 2.0 comes out. I hope both happen soon.