>>>>> "Alan" == Alan DeKok <[email protected]> writes:
Alan> It's partly DoS. The issue of the NAS sending large amounts
Alan> of data to the home server is an issue. If it's for a trusted
Alan> user, OK. If it's for an unknown user, it's not OK.
OK.
I'm confused, because the NAS is sending data for itself in the cases
where we're talking about.
If the data is being sent by the user, I'd expect it to be in the EAP
stream.
The cases I at least am contemplating here are where the NAS wants to
send data about what it requires etc.
Alan> i.e. even if the NAS only sends 10K of data, attackers can
Alan> open up thousands of unauthenticated connections, and
Alan> potentially DoS the server.
Attackers who have any valid account could probably do the same.
>> Also, from a DOS standpoint, since the entity being authenticated
>> is the user, not the NAS, I'd like to understand how you're
>> better off from a DOS standpoint after authentication.
Alan> It reduces the attack profile. The issue of large volumes
Alan> of authentication data is limited to (a) trusted NASes, and
Alan> (b) known users.
Although this is also limited to trusted NASes.
The question is whether known user vs unknown user makes a difference
for data between NAS and home server.
Alan> The other issues are packet size, and changes to existing
Alan> EAP processing. EAP already largely fills RADIUS packets.
Alan> Adding SAML data means that any UDP packet will be fragmented.
Alan> It will then fail to cross the wider net. TCP / TLS doesn't
Alan> have this problem, of course.
my assumption is that if you were sending access-accept saml auth data
you'd do it before you started EAP.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
