[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 138

To: "wolfgang.beck01@t-online.de" <wolfgang.beck01@t-online.de>
Subject: Re: Issue 138
From: Miguel Garcia <Miguel.An.Garcia@nokia.com>
Date: Fri, 14 Oct 2005 10:27:06 +0300
Cc: radiusext@ops.ietf.org, bernard_aboba@hotmail.com
In-reply-to: <1EQBOE-15rEHY0@fwd26.sul.t-online.de>
References: <1EQBOE-15rEHY0@fwd26.sul.t-online.de>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

Hi Wolfgang.

I think your proposed solution does not move in the direction whereBernard and me have been indicating: "the security of the RADIUSexchange is a somewhat orthogonal issue from the security of theHTTP/SIP Digest exchange."

There are connections betweeen the secure URI (https or sips) and thepresence/lack of security in the RADIUS interface. We indicated thatther is no such link.


So, in my opinion, the issue is still open.

/Miguel

wolfgang.beck01@t-online.de wrote:

Proposed text in section "RADIUS Client Behavior":
   "If all of the following conditions are true, the RADIUS client MUST
   act as if it had sent an Access-Request and the RADIUS server had
   rejected the credentials with an Access-Reject packet:
   o  the scheme in the digest-uri directive indicates a secure HTTP-
      style connection (e.g. sip or https).
   o  the packets between RADIUS client and RADIUS server are not
      protected with IPsec.
   Under those conditions, a typical implementation would reject the
   HTTP-style request."

replaces:
   "If the packets between RADIUS client and RADIUS server are not
   protected with IPsec, the RADIUS client MUST NOT accept secured
   connections (like https or sips) from its HTTP-style clients, so that
   HTTP-style clients are not provided with a false sense of security."

The Security Consideration section gives some additional explanations.
The section contains a part:
  "There are two ways to achieve this:
   o  the RADIUS client may reject HTTP-style requests received over TLS
      or IPsec
   o  the RADIUS client require that traffic be sent and received over
      IPsec.
   RADIUS over IPsec, if used, MUST conform to the requirements
   described in [RFC3579] section 4.2.

I think it's weak enough with respect to the "don't mandate SIP / HTTP
behaviour" requirement.


Wolfgang


--
Miguel A. Garcia           tel:+358-50-4804586
sip:miguel.an.garcia@openlaboratory.net
Nokia Research Center      Helsinki, Finland


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Issue 138
  - From: wolfgang.beck01@t-online.de

Prev by Date: Outcome of RADEXT WG Consensus call on draft-lior-radext-end-to-end-caps-01.txt
Next by Date: Re: Capabilities complexity summary
Previous by thread: Issue 138
Next by thread: Re: Capabilities complexity summary
Index(es):
- Date
- Thread