Re: Issue with SIP - Need for Message-Authenticator

[Bernard Aboba <aboba@internaut.com>]

Thanks for pointing this out Avi.  Here is what it says in Section 5.19 of
RFC 2869:

   An Access-Request that contains either a User-Password or
   CHAP-Password or ARAP-Password or one or more EAP-Message attributes
   MUST NOT contain more than one type of those four attributes.  If it
   does not contain any of those four attributes, it SHOULD contain a
   Message-Authenticator.  If any packet type contains an EAP-Message
   attribute it MUST also contain a Message-Authenticator.

Note that Message-Authenticator is based on HMAC-MD5.  Recent research has
demonstrated collisions in MD5 (though not in HMAC-MD5), so that it may
make sense to define a new attribute that uses a more highly regarded
algorithm, such as HMAC-SHA1.

On Thu, 26 Aug 2004, Avi Lior wrote:

> Wolfgang,
>
> In the SIP doc I think you need to use Message-Authenticator(80) in the
> access request.
>
> The problem is this:  without using a field such as CHAP-Password or
> Password, the RADIUS server has no way to validate that the Access-Request
> is arriving from a valid NAS.
>
> Message-Authenticator(80) is used to provide integrity protection for the
> entire Access-Request packet and can be used by the RADIUS Server to
> validate that the packet was received from a known Client (since the
> Message-Authenticator uses a shared secret shared by the Client-Server.)
>
>
>
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
>

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>