> Since we assume only one accounting stream from visited AAA to home|
> AAA, the fraud issue is limited. Most networks bill on the basis of
> time, and one stream can't have multiple start/stop times. Other
> networks bill on the basis of data usage, and visited networks can
> already claim inflated numbers. (i.e. it isn't a problem.)
[BA] By a "stream" you mean Accounting-Requests from a single NAS, right?
As the user moves between NASes, Accounting-Requests will be generated,
with Start/Stop to mark the beginning and end of a session on a particular
> Since ERX is not for intra-domain handovers, I think it's best to
> leave this as a requirement on the visited AAA server, as below:
[BA] So with ERX it is necessary to do a full EAP authentication every time
a peer enters a new domain? I guess that this is a consequence of not
being able to assume EMSK caching within the AAA server.
> The accounting stream is tied to the original EAP authentication,
> which must carry information about the visited domain.
[BA] How is information about the visited domain encoded by the NAS?
Looking at the document, it appears that the DSRK can be requested
by any ERX proxy along the path. Does the AAA server assume that
whatever ERX proxy has submitted the request is valid before delivering
the key? Or is there information provided by the NAS that it is supposed
to check against? For example, does it do a reverse PTR RR query
on the NAS-IP-Address Attribute and check that the proxy submitting
the DSRK request is within the same domain?