[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: authors 48 hours: RFC 3576 <draft-chiba-radius-dynamic-authorization-20.txt> NOW AVAILABLE

To: "Bernard Aboba" <bernarda@windows.microsoft.com>
Subject: RE: authors 48 hours: RFC 3576 <draft-chiba-radius-dynamic-authorization-20.txt> NOW AVAILABLE
From: Randy Bush <randy@psg.com>
Date: Wed, 9 Jul 2003 16:35:48 +0200
Cc: "RFC Editor" <rfc-editor@rfc-editor.org>, iesg <iesg@ietf.org>
References: <E6564B8F86852D46A4E98C485FB33B8F037EE93D@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>

> Date: Tue, 8 Jul 2003 15:56:39 -0700
> From: "Bernard Aboba" <bernarda@windows.microsoft.com>
> To: "RFC Editor" <rfc-editor@rfc-editor.org>
> ...
>
> As the result of an issue raised after IESG approval of publication, I
> would like to request the following change (which I presume needs
> signoff from the IESG):
> 
> Please change the text of Section 5.1 to the following:
> 
> " 5.1.  Authorization issues
> 
> Where a NAS is shared by multiple providers, it is undesirable for one
> provider to be able to send Disconnect-Request or CoA-Requests affecting
> the sessions of another provider.
> 
> A NAS or RADIUS proxy MUST silently discard Disconnect-Request or CoA-
> Request messages from untrusted sources.  By default, a RADIUS proxy
> SHOULD perform a "reverse path forwarding" (RPF) check to verify that a
> Disconnect-Request or CoA-Request originates from an authorized RADIUS
> server.  In addition, it SHOULD be possible to explicitly authorize
> additional sources of Disconnect-Request or CoA-Request packets relating
> to certain classes of sessions.  For example, a particular source can be
> explicitly authorized to send CoA-Request messages relating to users
> within a set of realms.
> 
> To perform the RPF check, the proxy uses the session identification
> attributes included in Disconnect-Request or CoA-Request messages, in
> order to determine the RADIUS server(s) to which an equivalent Access-
> Request could be routed.  If the source address of the Disconnect-
> Request or CoA-Request is within this set, then the Request is
> forwarded; otherwise it MUST be silently discarded.
> 
> Typically the proxy will extract the realm from the Network Access
> Identifier [RFC2486] included within the User-Name Attribute, and
> determine the corresponding RADIUS servers in the proxy routing tables.
> The RADIUS servers for that realm  are then compared against the source
> address of the packet.  Where no RADIUS proxy is present, the RPF check
> will need to be performed by the NAS itself.
> 
> Since authorization to send a Disconnect-Request or CoA-Request is
> determined based on the source address and the corresponding shared
> secret, the NASes or proxies SHOULD configure a different shared secret
> for each RADIUS server."

iesg signs off

randy

Prev by Date: draft-dasilva-l2tp-relaysvc-06.txt
Next by Date: Re: draft-savola-ipv6-127-prefixlen
Previous by thread: From IAB: Protocol models document
Next by thread: Re: draft-savola-ipv6-127-prefixlen
Index(es):
- Date
- Thread