[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Issue 7] Message Authenticator

To: radiusext@ops.ietf.org
Subject: Re: [Issue 7] Message Authenticator
From: Bernard Aboba <aboba@internaut.com>
Date: Wed, 3 Nov 2004 20:34:37 -0800 (PST)

Wolfgang Beck wrote:

"RFC 2869 is informational. I see that it is useful but
I hesitate to make it mandatory.

new text:
'Informational RfC 3579 [RFC3579], section 3.2 describes
a Message-Authenticator attribute which MAY be used to protect the
integrity of RADIUS messages.'"

Omitting Message-Authenticator enables an attacker to forge Access-Request
packets.  The reason RFC 3579 could not make use of Message-Authenticator
mandatory for all RADIUS packets (just for packets containing an
EAP-Message attribute) was because Message-Authenticator was not required
in RFC 2865, so that it was not sent by legacy RADIUS-clients.

That problem does not occur here;  Digest Authentication is a new RADIUS
capability.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: [Issue 15] Editorial NITs with RFC 2486bis-01
Next by Date: Verification of WG consensus on Digest Issues 3, 4, 5, 6, 8, 11
Previous by thread: [Issue 15] Editorial NITs with RFC 2486bis-01
Next by thread: RE: [Issue 7] Message Authenticator
Index(es):
- Date
- Thread