Sam Hartman wrote: > I'm confused, because the NAS is sending data for itself in the cases > where we're talking about.
The issue is that the NAS sends data on behalf of the user. Even if the user is unknown. So attackers can leverage the NAS to send large amounts of data. > Attackers who have any valid account could probably do the same. Yes. But that allows a negative feedback effect. You call the known person and tell them to stop attacking you. > Although this is also limited to trusted NASes. > The question is whether known user vs unknown user makes a difference > for data between NAS and home server. I think it does. It lowers the attack profile. > my assumption is that if you were sending access-accept saml auth data > you'd do it before you started EAP. I'm wary of that approach. Alan DeKok. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
