Message-Authenticator should be mandatory (1 1 1 1). On Jan 10, 2012, at 22:30, "jouni korhonen" <jouni.nospam@xxxxxxxxx> wrote: > Bernard, > > Thank you for your review. See my comments inline. > > > On Jan 10, 2012, at 8:37 PM, Bernard Aboba wrote: > >> The document appears to contain typos in sections 4.16 and 4.17. >> >> In section 4.16, it appears that "Home LMA IPv6 address" should be replaced by "Home DHCPv6 server address": > > Blimey.. we'll fix this. > >> 4.16. PMIP6-Home-DHCP6-Server-Address >> >> >> >> 0 1 2 3 >> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> | Type | Length | Home DHCPv6 server address >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> Home DHCPv6 server address >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> Home DHCPv6 server address >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> Home DHCPv6 server address >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> Home LMA IPv6 address | >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> >> In Section 4.17, it appears that "Visited LMA IPv6 address" should be replaced by "Visited DHCPv6 server address": > > And the same here.. > > >> >> 4.17. PMIP6-Visited-DHCP6-Server-Address >> >> >> 0 1 2 3 >> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> | Type | Length | Visited DHCPv6 server address >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> Visited DHCPv6 server address >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> Visited DHCPv6 server address >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> Visited DHCPv6 server address >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> Visited LMA IPv6 address | >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> >> >> 5.2. Table of Attributes >> >> >> The following table provides a guide to attributes that may be found >> in authentication and authorization RADIUS messages between MAG and >> the AAA Server. >> >> >> Request Accept Reject Challenge # Attribute >> >> 0-1 0-1 0-1 0-1 80 Message-Authenticator >> >> >> >> [BA] The Message-Authenticator attribute is mandatory-to-implement in a number of >> RADIUS usages, including EAP (RFC 3579). Leaving out Message-Authenticator could >> result in Access-Requests lacking authentication and >> integrity protection. RFC 6158 Section 3.1 states: > > Good point. So, you are saying that we should have: > > 1 0-1 0-1 0-1 80 Message-Authenticator > > or would > > 1 1 1 1 80 Message-Authenticator > > be even better as RFC3759 & 5090 do? > > > - Jouni > > > >> >> While [RFC2865] did not require authentication and integrity >> protection of RADIUS Access-Request packets, subsequent >> authentication mechanism specifications, such as RADIUS/EAP [RFC3579] >> and Digest Authentication [RFC5090], have mandated authentication and >> integrity protection for certain RADIUS packets. [RFC5080], Section >> 2.1.1 makes this behavior RECOMMENDED for all Access-Request packets, >> including Access-Request packets performing authorization checks. It >> is expected that specifications for new RADIUS authentication >> mechanisms will continue this practice. >> >> >> >> >> >> _______________________________________________ >> Ietf mailing list >> Ietf@xxxxxxxx >> https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf