> Dear all, > https://s3.amazonaws.com/s3.documentcloud.org/documents/1102570/full-spectru m-cyber-effects-final.pdf > explains that RADIUS data is being used to find TDIs. I have no idea > what a TDI is, but from the document it looks like it contains > information about specific users.
RADIUS is normally used as part of network access authentication, between a network access point and an authentication service. Unless precautions are taken, monitoring the RADIUS traffic can reveal the identity of users connecting to specific networks. It is easy to see the implications for pervasive monitoring. There are two basic ways to protect RADIUS traffic from this monitoring. One possibility is to make sure that the actual user identities are only transmitted in encrypted EAP payloads, such as PEAP, but this requires scrubbing all implementations and making sure that they properly implement a correct EAP variant. A stronger defense is to encrypt the traffic between access point and authentication server. The RADIUS specification suggested using IPSEC, compatible with the UDP transport. RFC 6614 specifies how to protect RADIUS traffic with TLS. Either TLS or IPSEC for RADIUS will thwart pervasive monitoring. -- Christian Huitema _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
