RE: [Issue 7] Message Authenticator

[Avi Lior <avi@bridgewatersystems.com>]

Hi Bernard,

I think that Message-Authenticator should be mandatory.

Points of clarification:

In this email you say: "Message-Authenticator was not required in RFC 2865, 
 so that it was not sent by legacy RADIUS-clients."

On the issues list you say: 
[Bernard Aboba] Use of Message Authenticator is required by RFC 2865. 

Can you please clarify these seemly contrary statements.


> -----Original Message-----
> From: Bernard Aboba [mailto:aboba@internaut.com] 
> Sent: November 3, 2004 11:35 PM
> To: radiusext@ops.ietf.org
> Subject: Re: [Issue 7] Message Authenticator
> 
> 
> Wolfgang Beck wrote:
> 
> "RFC 2869 is informational. I see that it is useful but
> I hesitate to make it mandatory.
> 
> new text:
> 'Informational RfC 3579 [RFC3579], section 3.2 describes
> a Message-Authenticator attribute which MAY be used to 
> protect the integrity of RADIUS messages.'"
> 
> Omitting Message-Authenticator enables an attacker to forge 
> Access-Request packets.  The reason RFC 3579 could not make 
> use of Message-Authenticator mandatory for all RADIUS packets 
> (just for packets containing an EAP-Message attribute) was 
> because Message-Authenticator was not required in RFC 2865, 
> so that it was not sent by legacy RADIUS-clients.
> 
> That problem does not occur here;  Digest Authentication is a 
> new RADIUS capability.
> 
> --
> to unsubscribe send a message to 
> radiusext-request@ops.ietf.org with the word 'unsubscribe' in 
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>