Re: FW: Review of draft-ietf-radext-status-server

[Alan DeKok <aland@deployingradius.com>]

Ignacio Goyret wrote:
> That assumes that the client was the one actually sending
> the Status-Server. It could have been an attacker.
> 
> A client has very little to use to validate an incoming Access-Request
> that was generated as a response to an Status-Server.

  Hmm... OK.

> IOW, a server responding to a Status-Server sent to its auth port
> may unintentionally authenticate a bogus session.

  This requires that the attacker obtain the Request Authenticator from
the Access-Request, put it into a Status-Server, and send that to the
server before it receives the Access-Request.

  It's possible, but hard.

> That's why I say that using Access-Accept as a response to
> anything other than an Access-* is dangerous.

  The use of Message-Authenticator means that the attacker won't be able
to sign the Status-Server, meaning the server won't respond.

  We can put some more text into the document highlighting the necessity
for using Message-Authenticator.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>