[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: When to Access-Reject vs. Silently Discard

To: Alan DeKok <aland@ox.org>
Subject: Re: When to Access-Reject vs. Silently Discard
From: Bernard Aboba <aboba@internaut.com>
Date: Thu, 7 Apr 2005 11:42:03 -0700 (PDT)
Cc: "Glen Zorn (gwz)" <gwz@cisco.com>, radiusext@ops.ietf.org
In-reply-to: <20050407172303.6F615170F5@mail.nitros9.org>
References: <20050407172303.6F615170F5@mail.nitros9.org>

>   The only times I can see (NAS-IP-Address != source IP) for local
> NASes are buggy implementations, or security breaches.  Is there
> another case that text is trying to address, that I'm missing?

That's about it.

>   If it's a buggy implementation, upgrade.  If it's a security breach,
> an Access-Reject is wrong: the NAS should be de-listed from the known
> clients, to avoid an attacker using the trust relationship to gain
> knowledge about users.

Certainly the NAS should be delisted, but presumably that will not occur
automatically, but as the result of administrator action responding to an
appropriate alert.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Re: When to Access-Reject vs. Silently Discard
  - From: "Alan DeKok" <aland@ox.org>

Prev by Date: RE: When to Access-Reject vs. Silently Discard
Next by Date: Re: When to Access-Reject vs. Silently Discard
Previous by thread: Re: When to Access-Reject vs. Silently Discard
Next by thread: Re: When to Access-Reject vs. Silently Discard
Index(es):
- Date
- Thread