At 01:24 PM 5/15/2002 -0400, Alan DeKok wrote:
>Josh Howlett <[EMAIL PROTECTED]> wrote:
> > I would certainly find this capability useful. I don't see the harm in
> > _open_ extensions provided that they're documented and are inactive by
> > default.
>
> There's also the problem of traffic analysis.
>
> e.g. Packets to port 1812 are authentication requests. Packets to
>port 1813 are accounting requests. Small packets from port 1812 are
>authentication rejects. Larger packets from port 1812 are
>authentication accepts.
>
> You can get a LOT of information about what's going on in the
>network just by looking at ports and packet sizes.
>
> So my question is: What purpose would be served by encrypting
>packets? What information do you want to hide from prying eyes?
In a proxy environment, realms can indicate business relationships
which might otherwise not be publicly known.
In all environments, the attacks against breaking the shared secret
are sped up by having access to the cypher-text in User-Password as
well as by being able to correlate "like" packets.
In a wholesale environment radius packets may be traversing unknown
or untrusted third party networks.
Also, any information contained in the unencrypted other attributes
can yield a lot of information as well. ( Phone numbers calling
from/to, destinations for login/telnet, etc. ).
Having a username and a phone number calling from, one could imagine
some social engineering attacks...
Yes it is pretty paranoid to think that someone would be interested
in that, but it also appears that it might not be overly hard to
add IPSec hooks, either.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
