Re: [HOKEY] ERX fraud issue

[Alan DeKok <aland@deployingradius.com>]

Bernard Aboba wrote:
> [BA] This is where I get confused.  As far as I can tell, the DSRK request
> can be inserted by *any* proxy on the path.  So I'm not sure how the
> restrictions is implemented in practice.

  A proxy inserting a DSRK for the purposes of faking authentication
would presumably do so without the cooperation of the visited network.
The proxy would then have to filter the accounting traffic from the
visited network.

  This is where a 3 party *reconciliation* protocol would be beneficial.
 If the visitied network, proxies, and home network all share their
accounting data, fraud is easier to detect.

> [BA] It would certainly help for the subsequent ERX accounting records to
> be tied to the original EAP session (e.g. via use of the same
> Multi-Session-Id).

  Not many systems implement Multi-Session-Id.  It may be simpler just
to require the accounting records for the visited network to be
consistent.  i.e. when a user moves to a new NAS, the records could be
sent through the visited network AAA server, which could do the
necessary data massaging to create a canonical accounting stream.

> [BA] If the ERX server and AAA server are both in the visited domain,
> why refer
> to a "local" ERX server and a "home" ERX server?  I thought that the
> applicability statement proposed refers to inter-domain use.

  I think the "home" ERX server just complicates the issue.

> [BA] I agree that the restrictions you describe would address the issue,
> but I'm still confused as to whether the solution scope includes those
> restrictions or not.

  Reviews && feedback are being solicited...

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>