Re: [Issue] RFC 3576 Usage of Message-Authenticator

[Barney Wolff <barney@databus.com>]

On Mon, Jan 31, 2005 at 11:59:51AM -0800, Glen Zorn (gwz) wrote:
> 
> This discussion has brought to light something that doesn't make
> sense to me.  The Request Authenticators calculated differently in
> Access-Requests and Accounting-Requests, but I don't understand why
> (& I can't believe I didn't notice this before). RFC 2866 says "Note
> that the Request Authenticator of an Accounting-Request can not be
> done the same way as the Request Authenticator of a RADIUS
> Access-Request, because there is no User-Password attribute in an
> Accounting-Request."  The problem is, while the "encryption"
> technique used for the User-Password Attribute depends upon the
> Request Authenticator, the dependency is not, as far as I can tell,
> mutual.  Maybe someone can explain this?

I believe the reasoning, which I present without endorsing, is that
the receiver of an Access-Request with User-Password can verify that
the sender knows the shared-secret, since the User-Password will not
decrypt correctly otherwise.  Thus the Request Authenticator (a misnomer
in this case) can be a nonce.  Implicit in this design choice is the
assumption that the cost of responding to bogus Access-Requests is
less than the cost of doing some validation on every Access-Request
of heavier weight than simply checking the source IP.

Regards,
Barney

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>