RE: Comments on draft-carroll-dynmobileip-cdma-04.txt

[Bernard Aboba <aboba@internaut.com>]

>        RFC 2865 an Access-Reject packet MAY only include Reply-Message
>        and Proxy-State attributes.  Subsequent RFCs allow for other
>        attributes to be included in an Access-Reject packet, but these
>        are included to indicate the reason the
>        authentication/authorization has failed.  It is a normative
>        requirement of RFC 2865 that receipt of an Access-Reject at the
>        NAS terminate the session of the attached
>        network host.  This document violates that normative requirement.
>        Instead, the use of an Access-Challenge packet would have been
>        appropriate according to RFC 2865. (2) The security
>        considerations
>        of this specification rely, in part, on the specific cellular
>        telephony infrastructure used in this application, and the
> protocol
>        extensions as described herein potentially exhibit inadequate
>        security properties when used outside of the specific deployment
>        environment.  As a result, the use of this specification in other
>        circumstances than those described in this document or as a basis
>        for new work is strongly discouraged.

I would add that the document fundamentally changes the semantics of the
RADIUS Access-Reject, so as not to cause termination of the user
connection.  It also does not intgrity protect and authenticate RADIUS
Access-Request, another normative violation of RFC 2865.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>