Hi, Alex.
With my draft-ietf-abfab-aaa-saml hat on, I have a problem with one of
the proposed changes:
* Fragmentation can only occur after authentication. Clients wanting to send
large amounts of data can signal this situation on the first
Access-Request, but the exchange will happen after authentication is
completed for security reasons.
Unfortunately some of the use cases for SAML involve looking at the SAML
request to determine what authentication would be acceptable. As an
example, we need to look at the LOA to determine what EAP methods are
acceptable.
Hi Sam,
do you expect this data to be so large that makes the first
Access-Request packet to exceed the limit? It is not avoiding SAML data
to be on the packet, just avoiding the use of fragmentation for security
reasons. When using EAP, the first Access-Request is usually small, as
it only contains EAP-Identity. Hence, almost 4KB would be available for
SAML data.
Regards,
Alejandro
As such, we do actually need to be able to send things like SAML
requests prior to authentication.
So, I'd like to better understand the reasons for this change.
If it's DOS concerns, I would prefer to revert the change and simply
note the concern in security considerations.
Also, from a DOS standpoint, since the entity being authenticated is the
user, not the NAS, I'd like to understand how you're better off from a
DOS standpoint after authentication.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
