"Paolo Rotela" <[EMAIL PROTECTED]> wrote: ... I don't think this discussion is useful. You have your opinions, but you're not responsible for server development.
> On the other hand, what's the security difference between accepting > Accounting-Response packets without a Message-Authenticator because there is > no standard, and accepting Accounting-Response packets with an > non-recognized value of Message-Authenticator because there is no standard > about how to calculate it? The most reasonable thing to do, I think, is to > simply ignore the Attribute as it were not there. Accounting-Response packets are signed, even without a Message-Authenticator. This is required in the RFC's. As for what's reasonable to do,m please feel free to patch your local copy of FreeRADIUS to behave however you want. > > The packet is not a valid one, because there is no valid method of > > calculating Message-Authenticator. Therefore, it is an invalid packet. > > If there is no valid method of calculating MA, how can you know that it's > invalid? Maybe you misunderstood me. There is NO VALID VALUE for Message-Authenticator in Accounting-Response packet > In the same file, at line 1203, you are using this calculated value, again > without regarding packet code, to decide if continue or exit with error > status. Again, why, if there is no valid method? Because I updated the code to implement the new proposed method of calculating valid Message-Authenticators. Please stop arguing about this. If you feel strongly, patch your local server. That's why you have source. The main FreeRADIUS distribution, however, WILL NOT be patched to do anything other than what I have described. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
