[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: AW: Issue 79; digest-auth realm validation

To: Miguel.An.Garcia@nokia.com
Subject: AW: AW: Issue 79; digest-auth realm validation
From: "Beck01, Wolfgang" <BeckW@t-systems.com>
Date: Mon, 4 Apr 2005 16:22:33 +0200
Cc: aboba@internaut.com, jsalowey@cisco.com, radiusext@ops.ietf.org


> So you basically stop in the RADIUS server processing further 
> requests that come from the same RADIUS client?
yes.
> How do you identify the RADIUS client, is it by its IP address?
yes, and by a shared secret. But I am not sure whether current RADIUS
server APIs support this.

> 
> What I am trying to avoid is that this "compromise" prevents 
> that RADIUS server to process legitimate requests coming from a RADIUS 
> client just because an attacker wrote a forged RADIUS request to preclude that 
> client to be operating anymore.
This would be a quite effective DoS attack. But Message-Authenticator is mandatory
now and should make forging RADIUS requests much harder.

Wolfgang

--
T-Systems
Next Generation IP Services and Systems
+49 6151 937 2863
Am Kavalleriesand 3
64295 Darmstadt
Germany 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: AW: AW: Issue 79; digest-auth realm validation
  - From: Miguel Garcia <Miguel.An.Garcia@nokia.com>

Prev by Date: Re: AW: Issue 79; digest-auth realm validation
Next by Date: RE: Issue 79; digest-auth realm validation
Previous by thread: RADEXT WG Last Call on Chargeable UserId Draft
Next by thread: Re: AW: AW: Issue 79; digest-auth realm validation
Index(es):
- Date
- Thread