[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: When to Access-Reject vs. Silently Discard

To: "'Alan DeKok'" <aland@ox.org>, <radiusext@ops.ietf.org>
Subject: RE: When to Access-Reject vs. Silently Discard
From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
Date: Wed, 6 Apr 2005 18:20:42 -0700
In-reply-to: <20050406170255.5607B17127@mail.nitros9.org>
Reply-to: <gwz@cisco.com>

Alan DeKok <> supposedly scribbled:

> Avi Lior <avi@bridgewatersystems.com> wrote:
>> In the RADIUS Digest thread (Issue 79) when the Server detects
that
>> the NAS is trying to authenticate a realm for which it is not
>> authorized we need to "reject" the authentication.   This can be
>> done by either Access-Reject or 
>> Silently Discarding the packet.  SO the question is which one is
>> correct? 
> 
>   I would back up, and say when do we discard, versus send reject?
> 
>  - attempted security breaches (bad Message-Authenticator, unknown
>    client) result in the packet being discarded.

Right.

> 
>  - failed authentication or authorization results in Access-Reject
>    (bad password, not permitted to use requested services, etc)

Right.

> 
>> Its not clear:  for example if Message-Authenticator(80) does not
>> validate (as per 3579) we silently discard.  When we detect a
lying
>> NAS again as per 3579 we generate an Access-Reject:   "Where a
match
>> is not found, an 
>> Access-Reject SHOULD be
>>  sent, and an error SHOULD be logged."
> 
>   Sending Access-Reject when (NAS-IP-Address != source IP) would
> break a LOT of deployments.  And it's a SHOULD, not a MUST. 

Yes, that is way broken, IMHO.

> 
> 
>   For the case of a NAS authenticating for a realm it's not
> authorized to use, we need to ask if it's a security problem or
> failed authorization.  The answer to that question will tell us
how
> to handle this case.   
> 
>   My $0.02 is that if the packet contains a valid
> Message-Authenticator, then an Access-Reject should be sent, AND
an
> error message logged saying that the NAS is misconfigured, or may
be
> compromised.  We "know" it's the right NAS, because it has the
right
> source IP and shared secret, which is the only way to identify any
> NAS.     

But it's not a _user_ authentication or authorization problem,
either; it's neither fish nor fowl.

> 
>   If the packet doesn't contain a Message-Authenticator, then the
> answer is more complex. 
> 
>   In this case, I believe that the packet does contain
> Message-Authenticator. 
> 
>   Alan DeKok.

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by
simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: When to Access-Reject vs. Silently Discard
  - From: "Alan DeKok" <aland@ox.org>
- RE: When to Access-Reject vs. Silently Discard
  - From: Bernard Aboba <aboba@internaut.com>

References:
- Re: When to Access-Reject vs. Silently Discard
  - From: "Alan DeKok" <aland@ox.org>

Prev by Date: RE: When to Access-Reject vs. Silently Discard
Next by Date: RE: When to Access-Reject vs. Silently Discard
Previous by thread: Re: When to Access-Reject vs. Silently Discard
Next by thread: RE: When to Access-Reject vs. Silently Discard
Index(es):
- Date
- Thread