[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Review of draft-ietf-radext-digest-auth-08.txt (fwd)




> -----Ursprüngliche Nachricht-----
Alexey
>>   2.1.2.  Constructing an Access-Request
>> [...]
>> 
>>   Due to syntactic requirements, HTTP-style protocols have to escape
>>   quote characters in contents of HTTP Digest directives.  When
> 
> "with backslash all quote and backslash characters in contents of ..."
OK

>>
>>   2.2.1.  General Attribute Checks
> 
>> [...]
>>   The RADIUS server removes '\' characters that escape quote 
>> characters "... that escape quote and '\' characters ..."
>>   from the text values it has received in the Digest-* attributes.
OK

>>   8.1.  Denial of Service
>> [...]
>>   An attacker can attempt a denial of service attack on one or more
>>   RADIUS servers by sending a large number of HTTP-style requests.  To
>>   make simple denial of service attacks more difficult, the nonce
>>   issuer (RADIUS client or server) MUST check if it has generated the
>>   nonce received from an HTTP-style client.  This SHOULD be done
>>   statelessly.  For example, a nonce could consist of a
>>   cryptographically random part and some kind of signature provided by
>>   the RADIUS client, as described in [RFC2617], section 3.2.1.
> 
> The RADIUS client no longer generates nonces, so it can't 
> verify signature, unless it knows how RADIUS server generates nonces.
>
I knew I'd miss some of those.
 
>   9.  Acknowledgments
> 
>   We would like to acknowledge Kevin Mcdermott (Cisco Systems) /or
> typo: "for"
>   providing comments and experimental implementation.

Thank you for reviewing this document again.

Wolfgang

--
T-Systems Enterprise Services GmbH
Systems Integration
Technologiezentrum
Engineering Networks, Products & Services
Next Generation IP Services & Systems
Am Kavalleriesand 3
64295 Darmstadt
Tel +49 6151 937 2863



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>