Re: Review of draft-ietf-radext-digest-auth-08.txt (fwd)
"Beck01, Wolfgang" <BeckW@t-systems.com> Wed, 17 May 2006 15:05 UTC
Envelope-to: radiusext-data@psg.com
Delivery-date: Wed, 17 May 2006 15:06:17 +0000
Message-Id: <1E4CCB2441C5C0409AD8A929482A09F31BB6C4@S4DE9JSAAIG.ost.t-com.de>
From: "Beck01, Wolfgang" <BeckW@t-systems.com>
To: alexey.melnikov@isode.com
Cc: radiusext@ops.ietf.org, bernard_aboba@hotmail.com
Subject: Re: Review of draft-ietf-radext-digest-auth-08.txt (fwd)
Date: Wed, 17 May 2006 17:05:58 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
> -----Ursprüngliche Nachricht----- Alexey >> 2.1.2. Constructing an Access-Request >> [...] >> >> Due to syntactic requirements, HTTP-style protocols have to escape >> quote characters in contents of HTTP Digest directives. When > > "with backslash all quote and backslash characters in contents of ..." OK >> >> 2.2.1. General Attribute Checks > >> [...] >> The RADIUS server removes '\' characters that escape quote >> characters "... that escape quote and '\' characters ..." >> from the text values it has received in the Digest-* attributes. OK >> 8.1. Denial of Service >> [...] >> An attacker can attempt a denial of service attack on one or more >> RADIUS servers by sending a large number of HTTP-style requests. To >> make simple denial of service attacks more difficult, the nonce >> issuer (RADIUS client or server) MUST check if it has generated the >> nonce received from an HTTP-style client. This SHOULD be done >> statelessly. For example, a nonce could consist of a >> cryptographically random part and some kind of signature provided by >> the RADIUS client, as described in [RFC2617], section 3.2.1. > > The RADIUS client no longer generates nonces, so it can't > verify signature, unless it knows how RADIUS server generates nonces. > I knew I'd miss some of those. > 9. Acknowledgments > > We would like to acknowledge Kevin Mcdermott (Cisco Systems) /or > typo: "for" > providing comments and experimental implementation. Thank you for reviewing this document again. Wolfgang -- T-Systems Enterprise Services GmbH Systems Integration Technologiezentrum Engineering Networks, Products & Services Next Generation IP Services & Systems Am Kavalleriesand 3 64295 Darmstadt Tel +49 6151 937 2863 -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- Re: Review of draft-ietf-radext-digest-auth-08.tx… Beck01, Wolfgang
- Review of draft-ietf-radext-digest-auth-08.txt (f… Bernard Aboba