Re: FW: Review of draft-ietf-radext-status-server

[Ignacio Goyret <igoyret@alcatel-lucent.com>]

>
>> The overloading of Access-Accept and Accounting-Response for
>> this purpose (response to a Server-Status command) is a bit
>> disconcerting and quite dangerous since it opens the door
>> for potentially bogus authentication.
>
>  I'm not sure why.  The response packets are signed with the Request
>Authenticator of the request.  i.e. the client *knows* that the
>Access-Accept is in response to a Status-Server. So it has no "user
>session" to authenticate.

That assumes that the client was the one actually sending
the Status-Server. It could have been an attacker.

A client has very little to use to validate an incoming Access-Request
that was generated as a response to an Status-Server.

IOW, a server responding to a Status-Server sent to its auth port
may unintentionally authenticate a bogus session.

That's why I say that using Access-Accept as a response to
anything other than an Access-* is dangerous.

Cheers,
-Ignacio


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>