-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Either TLS or IPSEC for RADIUS will thwart pervasive monitoring. > > If someone gains access to the backend database of the RADIUS server > then you are unfortunately in trouble. It is also worth noting that both > RADIUS and Diameter deployments have lots of intermediaries (as noted in > this privacy reviews: > http://www.iab.org/wp-content/IAB-uploads/2011/07/ABFAB-privacy-review.txt > http://www.iab.org/wp-content/IAB-uploads/2011/07/AAA-privacy-review.txt > > What you can then see is probably very similar to this: > http://www.zeit.de/datenschutz/malte-spitz-data-retention
Hannes is correct, the encrypted transport will only protect against passive monitoring of the RADIUS traffic. There are two other obvious attacks, monitoring at intermediate servers and monitoring at the authentication server itself. And the references are worth reading again. Were they ever published as an RFC? The monitoring at intermediate servers and proxies may be mitigated somewhat by the choice of appropriate EAP methods, in which the user name is obfuscated in the outer envelope and only revealed to the server in the encrypted EAP payload. As for the attack against authentication servers, they are somewhat beyond the reach of the IETF. In fact, if I am not mistaken, the European data retention rules require that network providers keep that kind of information available for 18 months, and provide it on request. We can expect similar rules to appear in other regions. But we should at least try ensure that if data has to be revealed, this is done with proper process and is applied on a case by case basis. - -- Christian Huitema -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) Comment: Using gpg4o v3.2.42.4591 - http://www.gpg4o.de/ Charset: utf-8 iQEcBAEBAgAGBQJTQF9MAAoJELba05IUOHVQJcgH/36uoCUKk4ub5eXY6KAEbOvn o88VYa2ANRSrs83T6PBeiqgAXzc8UlIf6YbQaB1C8zryAmT2sp4GhXtvFdlEReWb uS0MsTW8nobamy3MrdLmH9VF9Ark+QE53HxCP75yw5OPQ3ac41EnNpXCxjAVZoJo Sw4Y0fLiL8B2qAsPffSZOYUGVEy1KxJZjqlBy0pEgmrtYibHUY0/6V2vg+ULa0iq nkeg23UEKPvLPfTE3mK5xrOvWVDCKSdKCl8ha7Oc8xqMITGVjStynPytLwhBl+J5 w7c4EgavBMKZwu5A8qQKbSQ+/ug0x1JXFw9MfRx8QNwBm9ktcsvKUxq+H8Qzn8I= =EB7x -----END PGP SIGNATURE----- _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
