[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: Issue 79; digest-auth realm validation



So you basically stop in the RADIUS server processing further requests that come from the same RADIUS client? How do you identify the RADIUS client, is it by its IP address?

What I am trying to avoid is that this "compromise" prevents that RADIUS server to process legitimate requests coming from a RADIUS client just because an attacker wrote a forged RADIUS request to preclude that client to be operating anymore. If you can avoid this case I am fine, otherwise, I have a problem with it.

/Miguel

Beck01, Wolfgang wrote:

Miguel wrote:

I have a question:

What is the intention of this text:

   "The RADIUS server considers this client as
   compromised. "

What is this consideration? Is it that the RADIUS server marks "something" as "not being able to use the HTTP or SIP service any longer"?

"something" -- the RADIUS client that sent a Digest-Realm with a realm it is not allowed to speak for. Joe's reasoning was that this can be a sign of compromised RADIUS client. If a RADIUS client is compromised, it's better not to process any requests from it until the situation has been resolved.

So your proposal would be just to drop the reject the request
with the offending Digest-Realm attribute?

Wolfgang

--
T-Systems
Next Generation IP Services and Systems
+49 6151 937 2863
Am Kavalleriesand 3
64295 Darmstadt
Germany


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

-- Miguel A. Garcia tel:+358-50-4804586 Nokia Research Center Helsinki, Finland


-- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>