[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[radext] RDTLS #67 (new): RADIUS vs RDTLS disambiguation (TLS Alert)
#67: RADIUS vs RDTLS disambiguation (TLS Alert)
''3.1 "As a result, protocol disambiguation is straightforward. If the
first byte of the packet has value 22, it is a DTLS packet, and is a DTLS
connection initiation request. Otherwise, it is a RADIUS"''
{{{
5.
"
P = receive_packet_from_network()
D = lookup_dtls_session(T, P)
if (D || client_supports_rdtls(P)) {
R = process_dtls_packet(D, P)
if (R) {
process_radius_packet(R)
}
} else if (first_octet_of_packet_is_22(P)) {
process_dtls_clienthello(P)
} else {
process_radius_packet(P)
}"
}}}
Until the TLS session is fully established you must be able to accept
normal RADIUS packets in the case where client_supports_rdtls is false or
someone can spoof a request with the intent to prematurely lock in the use
of DTLS.
In terms of the text this draft should also burn the alert ctype (21) as
it may be sent by the client as part of its peer validation before the
session is established.
--
-------------------------------------+--------------------------------------
Reporter: peterd@â | Owner:
Type: defect | Status: new
Priority: minor | Milestone: milestone1
Component: RDTLS | Version: 1.0
Severity: Active WG Document | Keywords:
-------------------------------------+--------------------------------------
Ticket URL: <https://wiki.tools.ietf.org/wg/radext/trac/ticket/67>
radext <http://tools.ietf.org/radext/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>