[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on draft-carroll-dynmobileip-cdma-04.txt
> In addition, I couldn't find any reference to message integrity
> protection. Did I just miss it?
The document does not contain an attribute table listing what attributes
are sent in which messages, so it's hard to tell what attributes are
required/permitted/disallowed in which messages. Since all RADIUS RFCs
contain such a table, it's quite unusual that it is ommitted.
However, "Message-Authenticator" is not mentioned anywhere in the document,
which seems to imply that Message-Authenticator is not required to be
present in Access-Request messages. This means that requests are not
protected, which is a violation of RFC 2689, Section 5.19:
[Note 1] An Access-Request that contains either a User-Password or
CHAP-Password or ARAP-Password or one or more EAP-Message attributes
MUST NOT contain more than one type of those four attributes. If it
does not contain any of those four attributes, it SHOULD contain a
Message-Authenticator. If any packet type contains an EAP-Message
attribute it MUST also contain a Message-Authenticator.
Also, Section 7.9 seems to specify that RADIUS messages are encrypted, but
not how:
7.9 Network Message Security
The security of the MN-HA keys delivered from the RADIUS AAA server
to the MIP home agent requires confidentiality for network messages
containing such keys. The specification of security requirements for
network messages is the responsibility of the operator, and is
outside the scope of this document. (Note that similar considerations
apply to the distribution of Shared Secret Data, which is already
transmitted between nodes in the ANSI-41 network.)