Re: Issue: Counters for Session Contexts not found in RFC3576 MIBS

[Bernard Aboba <aboba@internaut.com>]

On Wed, 28 Sep 2005, Murtaza Chiba (mchiba) wrote:

> Glen Z., has suggested the addition of counters in the event where the Session Context is not found for the 
> RFC3576 MIBS.   This requires the addition of 4 objects, one each for DM 
> and CoA messages for both the client and server MIBs.   There is a good 
> need for this as NAKs could be sent for Diameter RAR capabilities, in 
> which case the NAK is not an error condition.

I think this makes sense. 

> Other Error Cause codes will not have corresponding counters.   There is a security concern that 
> the counter may provide information valuable for attacks.   The authors 
> would like to get the general feel for this.

Presumably access is only being provided to the SNMP manager, correct?  I 
would focus on whether the information is useful rather than whether it is 
security-sensitive. 

There is probably some value in tracking error messages by DAC and DAS, so 
as to see if there is a problem with a client or server.  For example, if 
an error 501 is being returned by a DAC (Administratively Prohibited), 
this could represent a security problem that needs to be addressed (e.g. 
someone is trying to send unauthorized Disconnect-Requests). 

I'm note sure whether the way to do this is via counters or potentially an 
error message table.  


> Alternative, is to maintain a counter for requests that are for Diameter RAR capabilities.

I do think it may make sense to count "Authorization Only" CoA and 
Disconnect-Requests.  In terms of the 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>