Re: When to Access-Reject vs. Silently Discard

["Alan DeKok" <aland@ox.org>]

Bernard Aboba <aboba@internaut.com> wrote:
> > Sending Access-Reject when (NAS-IP-Address != source IP) would
> > break a LOT of deployments.  And it's a SHOULD, not a MUST.
> 
> This is only something for a local proxy, not an intermediate proxy or a
> server.  Assuming that it's only a local proxy why would this break
> deployments?

  If the NAS is actually a NAS, and not a proxying server, and if the
NAS is close (in the network) to the RADIUS server, then this
restriction can make sense.

  It's difficult to administer in practice, however, given the
skill-set and knowledge I've seen.  That restriction would be turned
off in many deployments I've seen, because it's too easy to get wrong,
and it has little to no value.

  To back up: If you're worried that the NAS will impersonate another
one via NAS-IP-Address, why are you listening to it at all?

  The only times I can see (NAS-IP-Address != source IP) for local
NASes are buggy implementations, or security breaches.  Is there
another case that text is trying to address, that I'm missing?

  If it's a buggy implementation, upgrade.  If it's a security breach,
an Access-Reject is wrong: the NAS should be de-listed from the known
clients, to avoid an attacker using the trust relationship to gain
knowledge about users.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>