[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: authors 48 hours: RFC 3576 <draft-chiba-radius-dynamic-authorization-20.txt> NOW AVAILABLE
> Date: Tue, 8 Jul 2003 15:56:39 -0700
> From: "Bernard Aboba" <bernarda@windows.microsoft.com>
> To: "RFC Editor" <rfc-editor@rfc-editor.org>
> ...
>
> As the result of an issue raised after IESG approval of publication, I
> would like to request the following change (which I presume needs
> signoff from the IESG):
>
> Please change the text of Section 5.1 to the following:
>
> " 5.1. Authorization issues
>
> Where a NAS is shared by multiple providers, it is undesirable for one
> provider to be able to send Disconnect-Request or CoA-Requests affecting
> the sessions of another provider.
>
> A NAS or RADIUS proxy MUST silently discard Disconnect-Request or CoA-
> Request messages from untrusted sources. By default, a RADIUS proxy
> SHOULD perform a "reverse path forwarding" (RPF) check to verify that a
> Disconnect-Request or CoA-Request originates from an authorized RADIUS
> server. In addition, it SHOULD be possible to explicitly authorize
> additional sources of Disconnect-Request or CoA-Request packets relating
> to certain classes of sessions. For example, a particular source can be
> explicitly authorized to send CoA-Request messages relating to users
> within a set of realms.
>
> To perform the RPF check, the proxy uses the session identification
> attributes included in Disconnect-Request or CoA-Request messages, in
> order to determine the RADIUS server(s) to which an equivalent Access-
> Request could be routed. If the source address of the Disconnect-
> Request or CoA-Request is within this set, then the Request is
> forwarded; otherwise it MUST be silently discarded.
>
> Typically the proxy will extract the realm from the Network Access
> Identifier [RFC2486] included within the User-Name Attribute, and
> determine the corresponding RADIUS servers in the proxy routing tables.
> The RADIUS servers for that realm are then compared against the source
> address of the packet. Where no RADIUS proxy is present, the RPF check
> will need to be performed by the NAS itself.
>
> Since authorization to send a Disconnect-Request or CoA-Request is
> determined based on the source address and the corresponding shared
> secret, the NASes or proxies SHOULD configure a different shared secret
> for each RADIUS server."
iesg signs off
randy