On Jan 11, 2012, at 9:04 AM, Bernard Aboba wrote: > Message-Authenticator should be mandatory (1 1 1 1). Ack. Thanks Bernard. - Jouni > > > On Jan 10, 2012, at 22:30, "jouni korhonen" <jouni.nospam@xxxxxxxxx> wrote: > >> Bernard, >> >> Thank you for your review. See my comments inline. >> >> >> On Jan 10, 2012, at 8:37 PM, Bernard Aboba wrote: >> >>> The document appears to contain typos in sections 4.16 and 4.17. >>> >>> In section 4.16, it appears that "Home LMA IPv6 address" should be replaced by "Home DHCPv6 server address": >> >> Blimey.. we'll fix this. >> >>> 4.16. PMIP6-Home-DHCP6-Server-Address >>> >>> >>> >>> 0 1 2 3 >>> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> | Type | Length | Home DHCPv6 server address >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> Home DHCPv6 server address >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> Home DHCPv6 server address >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> Home DHCPv6 server address >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> Home LMA IPv6 address | >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> >>> In Section 4.17, it appears that "Visited LMA IPv6 address" should be replaced by "Visited DHCPv6 server address": >> >> And the same here.. >> >> >>> >>> 4.17. PMIP6-Visited-DHCP6-Server-Address >>> >>> >>> 0 1 2 3 >>> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> | Type | Length | Visited DHCPv6 server address >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> Visited DHCPv6 server address >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> Visited DHCPv6 server address >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> Visited DHCPv6 server address >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> Visited LMA IPv6 address | >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> >>> >>> 5.2. Table of Attributes >>> >>> >>> The following table provides a guide to attributes that may be found >>> in authentication and authorization RADIUS messages between MAG and >>> the AAA Server. >>> >>> >>> Request Accept Reject Challenge # Attribute >>> >>> 0-1 0-1 0-1 0-1 80 Message-Authenticator >>> >>> >>> >>> [BA] The Message-Authenticator attribute is mandatory-to-implement in a number of >>> RADIUS usages, including EAP (RFC 3579). Leaving out Message-Authenticator could >>> result in Access-Requests lacking authentication and >>> integrity protection. RFC 6158 Section 3.1 states: >> >> Good point. So, you are saying that we should have: >> >> 1 0-1 0-1 0-1 80 Message-Authenticator >> >> or would >> >> 1 1 1 1 80 Message-Authenticator >> >> be even better as RFC3759 & 5090 do? >> >> >> - Jouni >> >> >> >>> >>> While [RFC2865] did not require authentication and integrity >>> protection of RADIUS Access-Request packets, subsequent >>> authentication mechanism specifications, such as RADIUS/EAP [RFC3579] >>> and Digest Authentication [RFC5090], have mandated authentication and >>> integrity protection for certain RADIUS packets. [RFC5080], Section >>> 2.1.1 makes this behavior RECOMMENDED for all Access-Request packets, >>> including Access-Request packets performing authorization checks. It >>> is expected that specifications for new RADIUS authentication >>> mechanisms will continue this practice. >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Ietf mailing list >>> Ietf@xxxxxxxx >>> https://www.ietf.org/mailman/listinfo/ietf >> _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf