Re: AW: Issue 79; digest-auth realm validation

[Miguel Garcia <Miguel.An.Garcia@nokia.com>]

So you basically stop in the RADIUS server processing further requests 
that come from the same RADIUS client? How do you identify the RADIUS 
client, is it by its IP address?

What I am trying to avoid is that this "compromise" prevents that RADIUS 
server to process legitimate requests coming from a RADIUS client just 
because an attacker wrote a forged RADIUS request to preclude that 
client to be operating anymore. If you can avoid this case I am fine, 
otherwise, I have a problem with it.

/Miguel

Beck01, Wolfgang wrote:

> Miguel wrote:
>
> > I have a question:
> >
> > What is the intention of this text:
> >
> >    "The RADIUS server considers this client as
> >    compromised. "
> >
> > What is this consideration? Is it that the RADIUS server marks 
> > "something" as "not being able to use the HTTP or SIP service 
> > any longer"?
>
> "something" -- the RADIUS client that sent a Digest-Realm with a
> realm it is not allowed to speak for.
> Joe's reasoning was that this can be a sign of compromised
> RADIUS client. If a RADIUS client is compromised, it's better
> not to process any requests from it until the situation has
> been resolved.
>
> So your proposal would be just to drop the reject the request
> with the offending Digest-Realm attribute?
>
> Wolfgang
>
> --
> T-Systems
> Next Generation IP Services and Systems
> +49 6151 937 2863
> Am Kavalleriesand 3
> 64295 Darmstadt
> Germany 
>
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>

--
Miguel A. Garcia           tel:+358-50-4804586
Nokia Research Center      Helsinki, Finland


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>