[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue with SIP - Need for Message-Authenticator
> Thanks for pointing this out Avi. Here is what it says in
> Section 5.19 of RFC 2869:
> An Access-Request that contains either a User-Password or
> CHAP-Password or ARAP-Password or one or more EAP-Message
> attributes MUST NOT contain more than one type of those four
> attributes. If it
> does not contain any of those four attributes, it SHOULD contain a
> Message-Authenticator. If any packet type contains an EAP-Message
> attribute it MUST also contain a Message-Authenticator.
> Note that Message-Authenticator is based on HMAC-MD5. Recent
> research has demonstrated collisions in MD5 (though not in
> HMAC-MD5), so that it may make sense to define a new
> attribute that uses a more highly regarded algorithm, such as
defines an attribute that can SHA for message authentication.
> On Thu, 26 Aug 2004, Avi Lior wrote:
>> In the SIP doc I think you need to use Message-Authenticator(80) in
>> the access request.
>> The problem is this: without using a field such as CHAP-Password or
>> Password, the RADIUS server has no way to validate that the
>> Access-Request is arriving from a valid NAS.
>> Message-Authenticator(80) is used to provide integrity protection for
>> the entire Access-Request packet and can be used by the RADIUS Server
>> to validate that the packet was received from a known Client (since
>> the Message-Authenticator uses a shared secret shared by the
>> to unsubscribe send a message to
> email@example.com with
>> the word 'unsubscribe' in a single line as the message text body.
>> archive: <http://psg.com/lists/radiusext/>
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.