[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Issue] RFC 3576 Usage of Message-Authenticator

To: john.loughney@nokia.com
Subject: Re: [Issue] RFC 3576 Usage of Message-Authenticator
From: Murtaza Chiba <mchiba@cisco.com>
Date: Sun, 30 Jan 2005 16:54:26 -0800
Cc: aboba@internaut.com, radiusext@ops.ietf.org
In-reply-to: <FBA7FB88A51E804BA4A111CDFD2DE6382BA942@esebe105.NOE.Nokia.com>
References: <FBA7FB88A51E804BA4A111CDFD2DE6382BA942@esebe105.NOE.Nokia.com>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Bernard, Sounds good. Somewhat related, there are Vendor attributes that are encrypted, although we want to discourage per attribute encryption, the fact of the matter is that Customers are using it. So I would like to request a new attribute Initialization-Vector that can be used for all encrypted attributes in CoA and Disconnect Messages.

Regards,
Murtaza

john.loughney@nokia.com wrote:

Bernard,
I agree with your proposal.
John
-----Original Message-----
From: owner-radiusext@ops.ietf.org
[mailto:owner-radiusext@ops.ietf.org]On Behalf Of ext Bernard Aboba
Sent: 29 January, 2005 02:37
To: radiusext@ops.ietf.org
Subject: [Issue] RFC 3576 Usage of Message-Authenticator
RFC 3576 calculation of the Request and Response Authenticator is modelled after RFC 2866 (RADIUS Accounting). However, the Message-Authenticator attribute is not allowed in Accounting-Request and Accounting-Response messages, because these messages do not contain a random Request Authenticator, as specified in RFC 3579:
     Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
     Request Authenticator, Attributes)
It therefore would appear that a Message-Authenticator attribute is not allowed in CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, Disconnect-ACK or Disconnect-NAK messages.
This is contrary to the table in Section 3.2, which has the following
entry for both CoA and Disconnect messages:
  Request   ACK      NAK   #   Attribute
  0-1       0-1      0-1  80   Message-Authenticator
Proposed Resolution:
My proposal is that we submit an errata to RFC 3576, changing the "0-1" entries to "0" entries.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: [Issue] RFC 3576 Usage of Message-Authenticator
  - From: Bernard Aboba <aboba@internaut.com>

References:
- RE: [Issue] RFC 3576 Usage of Message-Authenticator
  - From: <john.loughney@nokia.com>

Prev by Date: RE: [Issue] RFC 3576 Usage of Message-Authenticator
Next by Date: Re: [Issue] RFC 3576 Usage of Message-Authenticator
Previous by thread: RE: [Issue] RFC 3576 Usage of Message-Authenticator
Next by thread: Re: [Issue] RFC 3576 Usage of Message-Authenticator
Index(es):
- Date
- Thread