[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on draft-carroll-dynmobileip-cdma-04.txt
- To: gwz@cisco.com, "'Frank Quick'" <fquick@qualcomm.com>, "'W. Mark Townsley'" <townsley@cisco.com>
- Subject: Re: Comments on draft-carroll-dynmobileip-cdma-04.txt
- From: "Alan DeKok" <aland@ox.org>
- Date: Mon, 07 Mar 2005 20:51:38 -0500
- Cc: "'Jari Arkko'" <jari.arkko@piuha.net>, "'Nelson, David'" <dnelson@enterasys.com>, "'Barney Wolff'" <barney@databus.com>, "'Avi Lior'" <avi@bridgewatersystems.com>, "'Thomas Narten'" <narten@us.ibm.com>, "'Carroll, Christopher P.'" <Ccarroll@ropesgray.com>, gerry.flynn@verizonwireless.com, radiusext@ops.ietf.org
- In-reply-to: Your message of "Mon, 07 Mar 2005 17:26:51 PST." <200503080126.j281QpjI025826@rtp-core-2.cisco.com>
"Glen Zorn (gwz)" <gwz@cisco.com> wrote:
> I think that this is an error in 2869, and itself a violation of
> 2865.
...
> However, you are right that 2865 does not explicitly say that the
> connection must be dropped, it merely assumes that that is the only
> reasonable course of action. I agree with that assumption,
> obviously, since otherwise the semantics of the Access-Reject
> message are up for grabs.
I agree. The use of Access-Reject as a *normal* part of a
*continuing* authentication conversation violates RFC 2865. The text
in RFC 2869 should have used Access-Challenge, and included the
Password-Retry attribute there. RFC 2869 Section 2.2 page 8, even
says:
If that authentication fails, the RADIUS server should return an
Access-Reject packet to the NAS, with optional Password-Retry and
Reply-Messages attributes. The presence of Password-Retry indicates
the ARAP NAS MAY choose to initiate another challenge-response cycle,
"challenge-response" should mean the use of the Access-Challenge
packet, and only the Access-Challenge attribute.
RFC 2865, Section 4.4, page 19 addresses the semantics of
Access-Challenge being equivalent to Access-Reject in some cases:
If the NAS does not support challenge/response, it MUST treat an
Access-Challenge as though it had received an Access-Reject
instead.
Given the discussion surrounding Access-Reject, and the comments
about RFC 2869, I think we should open another issue for the RFC 2869
violation of Access-Reject semantics, independent of this draft.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>