[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ISSUE: Request Authenticator validation in RFC 2866
Description of issue: No requirement for Request Authenticator validation in RFC 286
Submitter name: Alan DeKok
Submitter email address: aland@ox.org
Date first submitted: August 12, 2005
Reference: URL to e-mail describing problem, if available
Document: RFC 2866
Comment type: T
Priority: S
Section: 4.1
Rationale/Explanation of issue:
The text defining the Response Authenticator for Accounting-Response
packets says that "invalid packets are silently discarded", but no
such text exists for the Request Authenticator in Accounting-Request
packets.
Suggested fix: Add following text to "issues & fixes draft"
RFC 2866, Section 4.1 says:
Request Authenticator
The Request Authenticator of an Accounting-Request contains a 16-octet
MD5 hash value calculated according to the method described in
"Request Authenticator" above.
The text is incomplete, as it does not indicate any action to take
when an Accounting-Request packet contains an invalid Request
Authenticator. The following text should be considered to be part of
the above description:
The Request Authenticator field MUST contain the correct data,
as given by the above calculation. Invalid packets are silently
discarded. Note that some early implementations always set the
Request Authenticator to all zeros. New implementations of RADIUS
clients MUST use the above algorithm to calculate the
Request Authenticator field. New implementations of RADIUS servers
MUST silently discard invalid packets.
We may also want to add a note to the Security Considerations
section of the "Issues and fixes" draft. RADIUS server
implementations which accept a Request Authenticator of all zeros are
subject to various attack scenarios.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>