Message-Authenticator should be mandatory (1 1 1 1).
On Jan 10, 2012, at 22:30, "jouni korhonen"
<jouni(_dot_)nospam(_at_)gmail(_dot_)com> wrote:
Bernard,
Thank you for your review. See my comments inline.
On Jan 10, 2012, at 8:37 PM, Bernard Aboba wrote:
The document appears to contain typos in sections 4.16 and 4.17.
In section 4.16, it appears that "Home LMA IPv6 address" should be replaced
by "Home DHCPv6 server address":
Blimey.. we'll fix this.
4.16. PMIP6-Home-DHCP6-Server-Address
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Home DHCPv6 server address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Home DHCPv6 server address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Home DHCPv6 server address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Home DHCPv6 server address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Home LMA IPv6 address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
In Section 4.17, it appears that "Visited LMA IPv6 address" should be
replaced by "Visited DHCPv6 server address":
And the same here..
4.17. PMIP6-Visited-DHCP6-Server-Address
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Visited DHCPv6 server address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Visited DHCPv6 server address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Visited DHCPv6 server address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Visited DHCPv6 server address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Visited LMA IPv6 address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
5.2. Table of Attributes
The following table provides a guide to attributes that may be found
in authentication and authorization RADIUS messages between MAG and
the AAA Server.
Request Accept Reject Challenge # Attribute
0-1 0-1 0-1 0-1 80 Message-Authenticator
[BA] The Message-Authenticator attribute is mandatory-to-implement in a
number of
RADIUS usages, including EAP (RFC 3579). Leaving out Message-Authenticator
could
result in Access-Requests lacking authentication and
integrity protection. RFC 6158 Section 3.1 states:
Good point. So, you are saying that we should have:
1 0-1 0-1 0-1 80 Message-Authenticator
or would
1 1 1 1 80 Message-Authenticator
be even better as RFC3759 & 5090 do?
- Jouni
While [RFC2865] did not require authentication and integrity
protection of RADIUS Access-Request packets, subsequent
authentication mechanism specifications, such as RADIUS/EAP [RFC3579]
and Digest Authentication [RFC5090], have mandated authentication and
integrity protection for certain RADIUS packets. [RFC5080], Section
2.1.1 makes this behavior RECOMMENDED for all Access-Request packets,
including Access-Request packets performing authorization checks. It
is expected that specifications for new RADIUS authentication
mechanisms will continue this practice.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf