[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Deployment (Was: Re: NAI decoration: User Identity issues)
On Fri, Jul 16, 2004 at 08:57:12PM +0300, Jari Arkko wrote:
>
> Perhaps the answer lies in the definition of the
> business model. Is it
>
> (a) Access provider MUST present a fixed cost bill
> per user per month, and MUST ensure that a given
> user is logged on at most once at any given time.
Let me ask the standard security question: What's the threat model?
If the fear is that the intermediary's customer itself may cheat,
by trying to get away with paying for fewer users than it actually
has, the business model is non-viable, because the customer's server
can keep track of how many simultaneous sessions there are and
generate fake User-Aliases user0001, user0002 etc.
So we decide to trust the customer's server. But in that case, we may
just as well rely on having the server rewrite User-Name in the Accept,
as the only risk is that the server will fake the realm. But such
fakery can be detected by the intermediary, because it's capable of
logging both the request and the accept, or even doing a real-time check.
As a side note, since detection of session-end is not always
completely reliable (modems can be slow to drop DCD, and similar
issues apply to newer access technologies or (heaven forfend!) the
NAS may silently die) limiting the user to at most 1 simultaneous
login can generate annoyance and/or help-desk calls on false
positives. A brilliant product-line manager at the ISP with which
I was once associated changed the limit to two, which made that
problem disappear without reducing protection against massive abuse.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>