[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: digest-auth, nonce replay issue



Glen wrote
> However, your the draft doesn't say 
> 
>    o  If the Digest-Qop attribute's value is 'auth-int' and at least one
>       of the following conditions is true, the RADIUS server SHOULD put
>       a Digest-HA1 attribute into the Access-Accept packet:
>       *  The Digest-Algorithm attribute's value is 'MD5-sess' or 'AKAv1-
>          MD5-sess'.
>       *  The password was not posted on a mailing list (see Section 9).
>    In all other cases, Digest-Response-Auth or Digest-HA1 MUST NOT be
>    sent.
> Since the second condition is, AFAIK, unverifiable, it would 
> make sense to simply remove it as extraneous.  However, my 
> guess is that it's there for a reason; therefore, I would 
> advise making it depend upon a form of security that the 
> RADIUS client/server can actually check.

If I remove the IPSec-condition, I am sure somebody will complain about
it. In an earlier version, I used the phrase 'protected' instead of IPSec
which would have included future mechanisms, like RADIUS attribute encryption.
On request of the WG, this was replaced with IPSec. 

The above section of the draft is already hard to read, so I will add something
to the referenced Security Considerations, like:

'Some parameter combinations require the protection of the RADIUS packet against
eavesdropping and tampering. Implementations SHOULD try to determine automatically
whether RADIUS packets will be sent and received over IPSec. If this is not possible,
the implementation checks a configuration parameter telling it whether RADIUS traffic
will be protected with IPSec. It must be explicitly set by the operator. The default
value of this parameter tells the implementation that the RADIUS packet will not be
protected.'

Wolfgang

--
T-Systems
Next Generation IP Services and Systems
+49 6151 937 2863
Am Kavalleriesand 3
64295 Darmstadt
Germany 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>