AW: digest-auth, nonce replay issue

["Beck01, Wolfgang" <BeckW@t-systems.com>]

> Searching about in the draft, I can't find any place where 
> the words "MUST" and "IPSec" appear in the same sentence
You are right. I mixed it up with Digest-HA1.

> I do find several passages that assume that applications can 
> know whether or not the application traffic is protected by 
> IPSec, something that I was unaware was possible...
The application can not detect if the password was posted on a
mailing list either.

For the argument's sake, an application could consult the local
ipsec policy database and look if the RADIUS address quadruple
is covered by an appropriate rule. I am aware that existing APIs
are not sufficient here and VPN tunnels can't be discovered
this way.

A pragmatic approach would be to spell out a warning in the
manual or in the syslog 'If you plan to use such and that
option, make sure your RADIUS traffic is protected or you'll
be doomed'

> > However, the RADIUS server has to trust the first timestamp it 
> > receives from a RADIUS client. What if the RADIUS client's clock is 
> > adjusted during operation?
> 
> That's why you have to specify the required level of clock synchronization...
I feel a bit uneasy about this. When some technician plays with the time zone,
a whole SIP server won't be able to handle calls any longer.

> 
> ...
> 
> > Hope this helps,
It does.


Wolfgang

--
T-Systems Enterprise Services GmbH
Technologiezentrum
Next Generation IP Services and Systems
+49 6151 9372863
Am Kavalleriesand 3
64295 Darmstadt



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>