I do think we want to deal with a case where it's a proxy rather than
the home AAA server adding an assertion.
Assuming the original packet has not fragmentation, I think this case is
straightforward.
The case of a proxy modifying an assertion can be simplified to a proxy
choosing to read an assertion and then isse a new assertion based in
input from the data.
The problem with this case is that the intermediate proxy will need to
perform a conversation with the RADIUS client (i.e. sending
Acess-Challenge packets) to obtain all the fragments of the packet.
Then, the proxy have to reconstruct the assertion, modify it and then
start a new conversation with the RADIUS server sending the new fragments.
I think it is possible, but that may be a lot of state to hold for a proxy.
Anyway, what's the idea behind having a proxy modifying an assertion?
Wouldn't be the assertion losing its meaning as the originator of the
assertion (i.e. the IdP) has no control over the asserted information
along the path? IMO, one thing is assuming integrity is assured by the
trust on the AAA infrastructure and thus, digital signature is not
required, and another is abusing of that fact by introducing
intermediary elements that can modify the asserted data out of the
control of the IdP.
Regards,
Alejandro
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
