[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Review of draft-ietf-radext-digest-auth-08.txt (fwd)
> -----Ursprüngliche Nachricht-----
Alexey
>> 2.1.2. Constructing an Access-Request
>> [...]
>>
>> Due to syntactic requirements, HTTP-style protocols have to escape
>> quote characters in contents of HTTP Digest directives. When
>
> "with backslash all quote and backslash characters in contents of ..."
OK
>>
>> 2.2.1. General Attribute Checks
>
>> [...]
>> The RADIUS server removes '\' characters that escape quote
>> characters "... that escape quote and '\' characters ..."
>> from the text values it has received in the Digest-* attributes.
OK
>> 8.1. Denial of Service
>> [...]
>> An attacker can attempt a denial of service attack on one or more
>> RADIUS servers by sending a large number of HTTP-style requests. To
>> make simple denial of service attacks more difficult, the nonce
>> issuer (RADIUS client or server) MUST check if it has generated the
>> nonce received from an HTTP-style client. This SHOULD be done
>> statelessly. For example, a nonce could consist of a
>> cryptographically random part and some kind of signature provided by
>> the RADIUS client, as described in [RFC2617], section 3.2.1.
>
> The RADIUS client no longer generates nonces, so it can't
> verify signature, unless it knows how RADIUS server generates nonces.
>
I knew I'd miss some of those.
> 9. Acknowledgments
>
> We would like to acknowledge Kevin Mcdermott (Cisco Systems) /or
> typo: "for"
> providing comments and experimental implementation.
Thank you for reviewing this document again.
Wolfgang
--
T-Systems Enterprise Services GmbH
Systems Integration
Technologiezentrum
Engineering Networks, Products & Services
Next Generation IP Services & Systems
Am Kavalleriesand 3
64295 Darmstadt
Tel +49 6151 937 2863
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>