[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[radext] #46: B.3
#46: B.3
---------------------------------------+------------------------------------
Reporter: bernard_aboba@â | Owner:
Type: defect | Status: new
Priority: major | Milestone: milestone1
Component: design | Version: 1.0
Severity: Submitted WG Document | Keywords:
---------------------------------------+------------------------------------
Since this is a security attribute and is encrypted, code changes are
required on the RADIUS client and server to support it, regardless of
the attribute format. Therefore, this complex data type is
acceptable in this situation.
[BA] The design of the Tunnel-Password attribute goes against the
recommendations in the Security Considerations section, so suggesting that
this attribute is acceptable doesn't make sense.
Recommended change:
Since this is a security attribute, code changes are
required on the RADIUS client and server to support it, regardless of
the attribute format. However, while use of a complex data type is
acceptable in this situation, the design of the Tunnel-Password
attribute is problematic from a security perspective, since it uses MD5 as
a cipher, and provides a password to a NAS, potentially without proper
authorization.
--
Ticket URL: <http://trac.tools.ietf.org/wg/radext/trac/ticket/46>
radext <http://tools.ietf.org/radext/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>