[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue 79; digest-auth realm validation
Hi Wolfgang,
See inline:
> -----Original Message-----
> From: Beck01, Wolfgang [mailto:BeckW@t-systems.com]
> Sent: Monday, April 04, 2005 4:52 AM
> To: aboba@internaut.com; jsalowey@cisco.com
> Cc: radiusext@ops.ietf.org
> Subject: Re: Issue 79; digest-auth realm validation
>
>
> Here's a complete text proposal:
>
> The RADIUS server MUST check if the user identified by the
> User-Name
> attribute
> o is authorized to access the protection space defined by the
> Digest-URI and Digest-Realm attributes,
> o is authorized to use the URI included in the SIP-AOR
> attribute, if
> this attribute is present.
> If any of those checks fails, the RADIUS server MUST send an
> Access-Reject.
>
> Correlation between User-Name and SIP-AOR AVP values is
> required just
> to avoid that any user can register or misuse a SIP-AOR
> allocated to
> another user.
>
> A RADIUS server MUST check if the RADIUS client is authorized to
> serve users of the realm mentioned in the Digest-Realm
> attribute. If
> the RADIUS client is not authorized, the RADIUS server sends an
> Access-Reject. The RADIUS server considers this client as
> compromised. It notifies the operator and rejects all future
> requests from this client, until some management action tells it to
> do so again.
I think if the realm check fails, IMO RADIUS should silently-discard and
log/report.
I don't think it should ignore any further traffic from that client. After
all, it may not be the client that is compromized but rather another RADIUS
Client in the proxy chain. Anyway, whether we ingnore traffic or not will
really depend on how RADIUS is being deployed here and should therefore be a
deployment issue.
> Please send me a note if you have objections/additions about
> this text so we can close the issue.
>
> Wolfgang
>
> --
> T-Systems
> Next Generation IP Services and Systems
> +49 6151 937 2863
> Am Kavalleriesand 3
> 64295 Darmstadt
> Germany
>
> --
> to unsubscribe send a message to
> radiusext-request@ops.ietf.org with the word 'unsubscribe' in
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>