[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Proxies and dead home servers

To: radiusext@ops.ietf.org
Subject: Proxies and dead home servers
From: Alan DeKok <aland@nitros9.org>
Date: Mon, 11 Jun 2007 13:47:35 +0200
User-agent: Thunderbird 1.5.0.12 (X11/20070604)

  I've recently come across an issue which the RFC's don't clearly
address, but which can have major implications in a proxying environment.

  Suppose we have a proxy chain as follows:

 NAS --> Proxy Server --> Home Server

  If the Home Server does not respond to a proxied Access-Request, what
does the Proxy Server do with it?  RFC 2865 Section 4.1 says:

      Upon receipt of an Access-Request from a valid client, an
      appropriate reply MUST be transmitted.

  This would seem to indicate that the Proxy Server MUST respond to the
NAS, even if the Home Server does not respond to the Proxy Server.  The
only safe response is an Access-Reject, I think.

  There are implementations that do not behave this way, but I think
their impact is small.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Proxies and dead home servers
  - From: "Glen Zorn \(gwz\)" <gwz@cisco.com>

Prev by Date: RADEXT WG last call on RFC 3576bis
Next by Date: Re: Determining WG consensus on Issue 226: RFC 3576bis and Renumbering
Previous by thread: RADEXT WG last call on RFC 3576bis
Next by thread: RE: Proxies and dead home servers
Index(es):
- Date
- Thread