|
> For hotspot or dial-up, the passwords are sent in clear-text. This > gives the visited operators the ability to invent sessions. [BA] Fair enough. > Hokey restricts ERX to within one domain (I think Glen said that in > the meeting), so the above restriction will apply to Hokey, too. This > means that the only vulnerability Hokey has to fraudulent operators is > their ability to use ERX to generate *multiple* authentications for the > same user. [BA] This is where I get confused. As far as I can tell, the DSRK request can be inserted by *any* proxy on the path. So I'm not sure how the restrictions is implemented in practice. > This fraud can be detected and prevented if Hokey ties each ERX > session to the original EAP session. (It's not immediately obvious from > a scan of ERX-13 how this happens). i.e. Any accounting stream from an > ERX authentication should be tied to the original EAP authentication. > The home server can then validate that it is receiving one, and only > one, accounting stream that results from an EAP authentication. [BA] It would certainly help for the subsequent ERX accounting records to be tied to the original EAP session (e.g. via use of the same Multi-Session-Id). But it would still be necessary to tie the ERX accounting records to an authentication that terminates at the home ERX server, not just the local ERX server. > I think that the ERX server MUST be within the same domain as the AAA > server: the visited domain. [BA] If the ERX server and AAA server are both in the visited domain, why refer to a "local" ERX server and a "home" ERX server? I thought that the applicability statement proposed refers to inter-domain use. > That would be best, I think. [BA] I agree that the restrictions you describe would address the issue, but I'm still confused as to whether the solution scope includes those restrictions or not. |