[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DISCUSS: draft-ietf-radext-vlan

To: radiusext@ops.ietf.org
Subject: RE: DISCUSS: draft-ietf-radext-vlan
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Sun, 11 Jun 2006 18:31:13 -0700
Bcc:
In-reply-to: <4C0FAAC489C8B74F96BEAD85EAEB26250223B9E8@xmb-sjc-215.amer.cisco.com>

> I don't believe there are any substantial differences in the security
> implications of these attributes in RADIUS vs. Diameter, and I'd
> suggest that the document say this and leave it at that.

I agree.

Here is a rewrite of the Security Considerations of the VLAN document toaddress Russ's DISCUSS comment:


6.  Security Considerations

  This specification describes the use of RADIUS and Diameter for
  purposes of authentication, authorization and accounting in IEEE 802
  local area networks.  RADIUS threats and security issues for this
  application are described in [RFC3579] and [RFC3580]; security issues
  encountered in roaming are described in [RFC2607].  For Diameter, the
  security issues relating to this application are described in
  [RFC4005] and [RFC4072].

  This document specifies new attributes that can be included in
  existing RADIUS packets, which are protected as described in
  [RFC3579] and [RFC3576].  In Diameter, the attributes are protected
  as specified in [RFC3588]. See those documents for a more detailed
  description.

  The security mechanisms supported in RADIUS and Diameter are focused
  on preventing an attacker from spoofing packets or modifying packets
  in transit.  They do not prevent an authorized AAA server or proxy
  from inserting attributes with malicious intent.

  VLAN attributes sent by a server or proxy may enable access to
  unauthorized VLANs.  These vulnerabilities can be limited by
  performing authorization checks at the NAS.  For example, a NAS can
  be configured to accept only certain VLANIDs from a given AAA
  server/proxy.

  Similarly, an attacker gaining control of a AAA server or proxy can
  modify the user priority table, causing either degradation of quality
  of service (by downgrading user priority of frames arriving at a
  port), or denial of service (by raising the level of priority of
  traffic at multiple ports of a device, oversubscribing the switch or
  link capabilities).



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: FW: DISCUSS: draft-ietf-radext-delegated-prefix
  - From: "Glen Zorn \(gwz\)" <gwz@cisco.com>

Prev by Date: Re: Questions about draft-ietf-radext-filter-rules-00.txt
Next by Date: Changes to draft-ietf-radext-vlan to address IESG DISCUSS Comments
Previous by thread: RE: FW: DISCUSS: draft-ietf-radext-delegated-prefix
Next by thread: Changes to draft-ietf-radext-vlan to address IESG DISCUSS Comments
Index(es):
- Date
- Thread