[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D Action:draft-ietf-radext-dynamic-discovery-00.txt
> Title : NAI-based Dynamic Peer Discovery for RADIUS over TLS and DTLS
> Author(s) : S. Winter, M. McCauley
> Filename : draft-ietf-radext-dynamic-discovery-00.txt
My $0.02, as suggested in earlier emails:
The discovery process is always susceptible to bidding down attacks
if a realm has SRV records for RADIUS/UDP and/or RADIUS/TCP as well
as for RADIUS/TLS and/or RADIUS/DTLS.
This discover should be *forbidden* for RADIUS/UDP and RADIUS/TCP.
The only consumer of this dynamic discovery right now is RadSec. So
forbidding RADIUS/UDP and RADIUS/TCP from using this method has no
impact on existing systems.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.