[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D Action:draft-ietf-radext-dynamic-discovery-00.txt

To: radiusext@ops.ietf.org
Subject: Re: I-D Action:draft-ietf-radext-dynamic-discovery-00.txt
From: Alan DeKok <aland@deployingradius.com>
Date: Fri, 03 Jul 2009 18:29:30 +0200
In-reply-to: <20090703161501.9F78F3A6C6A@core3.amsl.com>
References: <20090703161501.9F78F3A6C6A@core3.amsl.com>
User-agent: Thunderbird 2.0.0.22 (Macintosh/20090605)

Internet-Drafts@ietf.org wrote:
> 	Title           : NAI-based Dynamic Peer Discovery for RADIUS over TLS and DTLS
> 	Author(s)       : S. Winter, M. McCauley
> 	Filename        : draft-ietf-radext-dynamic-discovery-00.txt

  My $0.02, as suggested in earlier emails:

...
   The discovery process is always susceptible to bidding down attacks
   if a realm has SRV records for RADIUS/UDP and/or RADIUS/TCP as well
   as for RADIUS/TLS and/or RADIUS/DTLS.
...

  This discover should be *forbidden* for RADIUS/UDP and RADIUS/TCP.

  The only consumer of this dynamic discovery right now is RadSec.  So
forbidding RADIUS/UDP and RADIUS/TCP from using this method has no
impact on existing systems.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: I-D Action:draft-ietf-radext-dynamic-discovery-00.txt
  - From: Stefan Winter <stefan.winter@restena.lu>

References:
- I-D Action:draft-ietf-radext-dynamic-discovery-00.txt
  - From: Internet-Drafts@ietf.org

Prev by Date: I-D Action:draft-ietf-radext-dynamic-discovery-00.txt
Next by Date: Re: I-D Action:draft-ietf-radext-dynamic-discovery-00.txt
Previous by thread: I-D Action:draft-ietf-radext-dynamic-discovery-00.txt
Next by thread: Re: I-D Action:draft-ietf-radext-dynamic-discovery-00.txt
Index(es):
- Date
- Thread