RE: Comments on draft-carroll-dynmobileip-cdma-04.txt

["Nelson, David" <dnelson@enterasys.com>]

> Hopefully, this is not going to require a huge debate.

The major issue is that the draft specifies the inclusion of an
attribute in an Access-Reject message, that has the effect of causing
some key [re]generation, and then a follow-up Access-Request message.

It was pointed out that the traditional way RADIUS accomplishes this
sort of interaction is with an Access-Request, Access-Challenge,
Access-Request message sequence, NOT an Access-Request, Access-Reject,
Access-Request message sequence, in which the NAS does not drop the
session to the client upon receiving the Access-Reject.

It was also pointed out that expecting (or allowing) a NAS to do
anything other than drop the session to the attached client upon
receiving an Access-Reject (with the possible exception of passing a
reject reason code or message to the client first) is a major departure
for RADIUS and a serious security concern.  Access-Reject has always
meant that no access is granted and that the client session is ended.
One of those "no means no" things.

Other issues have been raised, as well. 


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>