[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue with SIP - Need for Message-Authenticator

To: "'Bernard Aboba'" <aboba@internaut.com>, "'Avi Lior'" <avi@bridgewatersystems.com>
Subject: RE: Issue with SIP - Need for Message-Authenticator
From: "Joseph Salowey" <jsalowey@cisco.com>
Date: Thu, 26 Aug 2004 10:00:55 -0700
Cc: "'Beck01, Wolfgang'" <BeckW@t-systems.com>, <radiusext@ops.ietf.org>
In-reply-to: <Pine.LNX.4.56.0408260553070.25397@internaut.com>

owner-radiusext@ops.ietf.org wrote:
> Thanks for pointing this out Avi.  Here is what it says in
> Section 5.19 of RFC 2869:
> 
>    An Access-Request that contains either a User-Password or
>    CHAP-Password or ARAP-Password or one or more EAP-Message
>    attributes MUST NOT contain more than one type of those four
> attributes.  If it
>    does not contain any of those four attributes, it SHOULD contain a
>    Message-Authenticator.  If any packet type contains an EAP-Message
>    attribute it MUST also contain a Message-Authenticator.
> 
> Note that Message-Authenticator is based on HMAC-MD5.  Recent
> research has demonstrated collisions in MD5 (though not in
> HMAC-MD5), so that it may make sense to define a new
> attribute that uses a more highly regarded algorithm, such as
> HMAC-SHA1. 

[Joe] See
http://www.ietf.org/internet-drafts/draft-zorn-radius-keywrap-01.txt, this
defines an attribute that can SHA for message authentication.  

> 
> On Thu, 26 Aug 2004, Avi Lior wrote:
> 
>> Wolfgang,
>> 
>> In the SIP doc I think you need to use Message-Authenticator(80) in
>> the access request. 
>> 
>> The problem is this:  without using a field such as CHAP-Password or
>> Password, the RADIUS server has no way to validate that the
>> Access-Request is arriving from a valid NAS.
>> 
>> Message-Authenticator(80) is used to provide integrity protection for
>> the entire Access-Request packet and can be used by the RADIUS Server
>> to validate that the packet was received from a known Client (since
>> the Message-Authenticator uses a shared secret shared by the
>> Client-Server.) 
>> 


>> 
>> 
>> --
>> to unsubscribe send a message to
> radiusext-request@ops.ietf.org with
>> the word 'unsubscribe' in a single line as the message text body.
>> archive: <http://psg.com/lists/radiusext/>



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Issue with SIP - Need for Message-Authenticator
  - From: Barney Wolff <barney@databus.com>

References:
- Re: Issue with SIP - Need for Message-Authenticator
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: RE: REMINDER: RADEXT WG last call on RFC 2486bis
Next by Date: RE: Issue with SIP - Need for Message-Authenticator
Previous by thread: Re: Issue with SIP - Need for Message-Authenticator
Next by thread: Re: Issue with SIP - Need for Message-Authenticator
Index(es):
- Date
- Thread