RE: [Issue] RFC 3576 Usage of Message-Authenticator

[Bernard Aboba <aboba@internaut.com>]

> This discussion has brought to light something that doesn't make
> sense to me.  The Request Authenticators calculated differently in
> Access-Requests and Accounting-Requests, but I don't understand why
> (& I can't believe I didn't notice this before). RFC 2866 says "Note
> that the Request Authenticator of an Accounting-Request can not be
> done the same way as the Request Authenticator of a RADIUS
> Access-Request, because there is no User-Password attribute in an
> Accounting-Request."  The problem is, while the "encryption"
> technique used for the User-Password Attribute depends upon the
> Request Authenticator, the dependency is not, as far as I can tell,
> mutual.  Maybe someone can explain this?

I think it came up because in RFC 2865 Access-Requests are authenticated
via the User-Password attribute (Message-Authenticator wasn't required).
RFC 2866 wanted both Accounting-Requests and Accounting-Responses to be
authenticated, so they couldn't re-use the RFC 2865 scheme, since no
User-Password attribute would be included in the Accounting-Request.

Message-Authenticator didn't exist at the time (it was defined in RFC
2869), so they changed the definition of the Request Authenticator in the
Accounting-Request.

In this particular case, RFC 3576 documented the existing practice, which
copied RFC 2866.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>