Re: Review of draft-ietf-radext-design-01.txt

[Alan DeKok <aland@deployingradius.com>]

Bernard_Aboba@hotmail.com wrote:
> How about this?
> 
> "Where the intent is to represent a specific IPv6 address, the IPv6
...

  Done.

> Suggest adding:  "The threat is particularly severe when the opaque data

  Word-smithing:

   The threat is particularly severe when the opaque data does not
   originate from, or is checked by the NAS.  In those cases, the RADIUS
   server is potentially exposed to attack by malware residing on an
   unauthenticated host.  Applications consuming opaque data that reside
   on the RADIUS server SHOULD be properly isolated from the RADIUS
   server, and SHOULD run with minimal privileges.  Any potential
   vulnerabilities in that application will then have minimal impact on
   the security of the system as a whole.

  (chopping long sentences, etc.)

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>