[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-chiba compatibility with Diameter review of Chiba 19
The State attribute allows me to tie the two messages together. It is opque
outside the home network. But within we can use it to route the message, to
the correct server.
The question of trust has nothing to do with the State it's a more general
issue. The Access Request message will always be routed to the home network
based on the username attribute. The Access Accept message should therefore
be trusted, no?
> -----Original Message-----
> From: Murtaza S. Chiba [mailto:mchiba@cisco.com]
> Sent: May 13, 2003 4:56 PM
> To: Bernard Aboba
> Cc: Avi Lior; 'aaa-wg@ietf.org'; 'gdommety@cisco.com';
> 'meklund@cisco.com'; 'david@mitton.com'; 'iesg@ietf.org';
> 'jari.arkko@piuha.net'
> Subject: Re: draft-chiba compatibility with Diameter review
> of Chiba 19
>
>
> Bernard Aboba wrote:
> >>Hi ALl,
> >> If I understand this correctly the Authorize-Only
> triggers the NAS to
> >>send an Access-Request (after the NAK). Since, username contains
> >>domain, this is not enough as a domain could have multiple
> servers for
> >>redundancy and this request needs to go back to a
> particular server(?)
> >>and hence we need the State attribute?
> >
> >
> > It is possible that the State Attribute will be needed. Use is
> > optional.
> >
>
>
> Fair enough, but I am trying to understand the usefulness of
> the State
> Attribute. What specific problem does its use solve? Also, if the
> originator is not the recipient of the Access-Request, then
> the security
> implications need to be worked out, ie. do you trust the
> Access-Accept?
> Maybe it SHOULD be restricted to the originator??
>
> THanks,
> Murtaza
>
>
Bridgewater Systems Hosts a 4-city Wi-Fi Forum for Service Providers May 7-14, 2003
To learn more about the event and to register please visit: http://www.bridgewatersystems.com/forum