Re: Review of draft-ietf-radext-digest-auth-08.txt (fwd)

"Beck01, Wolfgang" <BeckW@t-systems.com> Wed, 17 May 2006 15:05 UTC

Envelope-to: radiusext-data@psg.com
Delivery-date: Wed, 17 May 2006 15:06:17 +0000
Message-Id: <1E4CCB2441C5C0409AD8A929482A09F31BB6C4@S4DE9JSAAIG.ost.t-com.de>
From: "Beck01, Wolfgang" <BeckW@t-systems.com>
To: alexey.melnikov@isode.com
Cc: radiusext@ops.ietf.org, bernard_aboba@hotmail.com
Subject: Re: Review of draft-ietf-radext-digest-auth-08.txt (fwd)
Date: Wed, 17 May 2006 17:05:58 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

> -----Ursprüngliche Nachricht-----
Alexey
>>   2.1.2.  Constructing an Access-Request
>> [...]
>> 
>>   Due to syntactic requirements, HTTP-style protocols have to escape
>>   quote characters in contents of HTTP Digest directives.  When
> 
> "with backslash all quote and backslash characters in contents of ..."
OK

>>
>>   2.2.1.  General Attribute Checks
> 
>> [...]
>>   The RADIUS server removes '\' characters that escape quote 
>> characters "... that escape quote and '\' characters ..."
>>   from the text values it has received in the Digest-* attributes.
OK

>>   8.1.  Denial of Service
>> [...]
>>   An attacker can attempt a denial of service attack on one or more
>>   RADIUS servers by sending a large number of HTTP-style requests.  To
>>   make simple denial of service attacks more difficult, the nonce
>>   issuer (RADIUS client or server) MUST check if it has generated the
>>   nonce received from an HTTP-style client.  This SHOULD be done
>>   statelessly.  For example, a nonce could consist of a
>>   cryptographically random part and some kind of signature provided by
>>   the RADIUS client, as described in [RFC2617], section 3.2.1.
> 
> The RADIUS client no longer generates nonces, so it can't 
> verify signature, unless it knows how RADIUS server generates nonces.
>
I knew I'd miss some of those.
 
>   9.  Acknowledgments
> 
>   We would like to acknowledge Kevin Mcdermott (Cisco Systems) /or
> typo: "for"
>   providing comments and experimental implementation.

Thank you for reviewing this document again.

Wolfgang

--
T-Systems Enterprise Services GmbH
Systems Integration
Technologiezentrum
Engineering Networks, Products & Services
Next Generation IP Services & Systems
Am Kavalleriesand 3
64295 Darmstadt
Tel +49 6151 937 2863



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Re: Review of draft-ietf-radext-digest-auth-08.tx… Beck01, Wolfgang
Review of draft-ietf-radext-digest-auth-08.txt (f… Bernard Aboba