Re: AW: AW: Issue 79; digest-auth realm validation

[Miguel Garcia <Miguel.An.Garcia@nokia.com>]

Hi Wolfgang:

Yeap, understood now. The Message-Authenticator will help definitely. 
Then I believe your compromising considerations are right.

/Miguel

Beck01, Wolfgang wrote:

> > So you basically stop in the RADIUS server processing further 
> > requests that come from the same RADIUS client?
>
> yes.
>
> > How do you identify the RADIUS client, is it by its IP address?
>
> yes, and by a shared secret. But I am not sure whether current RADIUS
> server APIs support this.
>
>
> > What I am trying to avoid is that this "compromise" prevents 
> > that RADIUS server to process legitimate requests coming from a RADIUS 
> > client just because an attacker wrote a forged RADIUS request to preclude that 
> > client to be operating anymore.
>
> This would be a quite effective DoS attack. But Message-Authenticator is mandatory
> now and should make forging RADIUS requests much harder.
>
> Wolfgang
>
> --
> T-Systems
> Next Generation IP Services and Systems
> +49 6151 937 2863
> Am Kavalleriesand 3
> 64295 Darmstadt
> Germany 

--
Miguel A. Garcia           tel:+358-50-4804586
Nokia Research Center      Helsinki, Finland


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>