[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Issue] RFC 3576 Usage of Message-Authenticator

To: radiusext@ops.ietf.org
Subject: [Issue] RFC 3576 Usage of Message-Authenticator
From: Bernard Aboba <aboba@internaut.com>
Date: Fri, 28 Jan 2005 16:37:12 -0800 (PST)

RFC 3576 calculation of the Request and Response Authenticator is modelled
after RFC 2866 (RADIUS Accounting).  However, the Message-Authenticator
attribute is not allowed in Accounting-Request and Accounting-Response
messages, because these messages do not contain a random Request
Authenticator, as specified in RFC 3579:

      Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
      Request Authenticator, Attributes)

It therefore would appear that a Message-Authenticator attribute is not
allowed in CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request,
Disconnect-ACK or Disconnect-NAK messages.

This is contrary to the table in Section 3.2, which has the following
entry for both CoA and Disconnect messages:

   Request   ACK      NAK   #   Attribute
   0-1       0-1      0-1  80   Message-Authenticator

Proposed Resolution:

My proposal is that we submit an errata to RFC 3576, changing the "0-1"
entries to "0" entries.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: [Issue] RFC 3576 Usage of Message-Authenticator
  - From: "Glen Zorn \(gwz\)" <gwz@cisco.com>

Prev by Date: RE: Issue 37: Merging of Filter Attributes
Next by Date: RE: [Issue] RFC 3576 Usage of Message-Authenticator
Previous by thread: RE: Issue 37: Merging of Filter Attributes
Next by thread: RE: [Issue] RFC 3576 Usage of Message-Authenticator
Index(es):
- Date
- Thread