[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue 139: Nonce Attribute



Issue 139: Nonce Attribute
Submitter name: Bernard Aboba
Submitter email address: aboba@internaut.com
Date first submitted: October 10, 2005
Reference:
Document: RFC3576bis-00
Comment type: T
Priority: S
Section: Various
Rationale/Explanation of issue:

It has been pointed out that the replay protection mechanisms
recommended in RFC 3576 may be difficult to deploy.

For example, the Event-Timestamp attribute requires time synchronization
between the RADIUS server and NAS. In roaming situations this would
require all networks between the RADIUS server and NAS to be running
NTP, synchronized to the same clock.

Similarly, IPsec with replay protection may not be deployable on all
hops in the path.

To provide more deployable replay protection it has been suggested that
a Nonce attribute be introduced. This attribute would be sent by the DAC
in a CoA/Disconnect-Request. If the DAS understands the attribute it would
be copied into the CoA/Disconnect ACK/NAK (possibly along with another
Nonce-attribute inserted by the DAS).

The Nonce attribute could also be used to enhance replay protection
in Accounting-Request packets. Since the receiver of the packet
with a Nonce attribute doesn't need to understand it, this attribute
is backward compatible with existing RFC 3576 implementations.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>