[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HOKEY] ERX fraud issue

To: Bernard Aboba <bernard_aboba@hotmail.com>
Subject: Re: [HOKEY] ERX fraud issue
From: Alan DeKok <aland@deployingradius.com>
Date: Fri, 14 Mar 2008 13:28:43 +0100
Cc: 'eap-WG' <eap@frascone.com>, radiusext@ops.ietf.org, hokey@ietf.org
In-reply-to: <BLU137-W53D96C2347A092E34A50FA930A0@phx.gbl>
References: <BLU137-DS30D74B75279A2DEBA4BC693080@phx.gbl> <47D8ED8A.8000403@deployingradius.com> <BLU137-W34EBA52038C8A777B3287C93090@phx.gbl> <47D9416A.8000709@deployingradius.com> <BLU137-DS37C990FA2855F981E5FF493090@phx.gbl> <47DA4AE5.8050009@deployingradius.com> <BLU137-W53D96C2347A092E34A50FA930A0@phx.gbl>
User-agent: Thunderbird 2.0.0.12 (X11/20080227)

Bernard Aboba wrote:
> [BA] By a "stream" you mean Accounting-Requests from a single NAS, right?

  Yes and no.  From the point of view of the home server, there is *one*
user login.  This *should* translate into one accounting stream.  Which
NAS(es) generate that stream is a separate issue.

> As the user moves between NASes, Accounting-Requests will be generated,
> with Start/Stop to mark the beginning and end of a session on a particular
> NAS.

  Yes.  These packets go through the visited AAA server, which talks to
the visited ERX server.  That visited AAA server SHOULD be made
responsible for reconciling accounting streams from disparate NASes in
it's local network.

> [BA]  So with ERX it is necessary to do a full EAP authentication every time
> a peer enters a new domain? I guess that this is a consequence of not
> being able to assume EMSK caching within the AAA server.

  That's my interpretation of what was said in Hokey.

>> The accounting stream is tied to the original EAP authentication,
>> which must carry information about the visited domain.
> 
> [BA] How is information about the visited domain encoded by the NAS? 

  It doesn't need to be.  The proxy knows about the visited domain, and
can add that information to the AAA packet stream.  This may require
policy changes on those proxies, and maybe a new AAA attribute.  But it
won't require code changes.

> Looking at the document, it appears that the DSRK can be requested
> by any ERX proxy along the path.

  Yes.  I'm not sure I understand that part.  If the visited domain
implements ERX, it can terminate the ERX requests.  If it doesn't
implement ERX, then it can't proxy those requests.

  i.e. the only thing that makes sense to me is that the ERX proxies (if
any) are all within the visited domain.

>  Does the AAA server assume that
> whatever ERX proxy has submitted the request is valid before delivering
> the key? Or is there information provided by the NAS that it is supposed
> to check against?  For example, does it do a reverse PTR RR query
> on the NAS-IP-Address Attribute and check that the proxy submitting
> the DSRK request is within the same domain?

  Not really sure...

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- ERX fraud issue
  - From: <Bernard_Aboba@hotmail.com>
- Re: [HOKEY] ERX fraud issue
  - From: Alan DeKok <aland@deployingradius.com>
- RE: [HOKEY] ERX fraud issue
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: [HOKEY] ERX fraud issue
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [HOKEY] ERX fraud issue
  - From: <Bernard_Aboba@hotmail.com>
- Re: [HOKEY] ERX fraud issue
  - From: Alan DeKok <aland@deployingradius.com>
- RE: [HOKEY] ERX fraud issue
  - From: Bernard Aboba <bernard_aboba@hotmail.com>

Prev by Date: RE: [HOKEY] ERX fraud issue
Next by Date: RADEXT WG Consensus call on acceptance of RADSEC as a work item
Previous by thread: RE: [HOKEY] ERX fraud issue
Next by thread: Re: [eap] [HOKEY] ERX fraud issue
Index(es):
- Date
- Thread