# HG changeset patch # User Sebastien Decugis # Date 1243848075 -32400 # Node ID 9d3dc44c9c22a9342bdefaabc3f30312ffdfe73c # Parent f0ba4fa1665ebf11eb09fb7f0f727d6afea5e653 Added comments from RFC4005 diff -r f0ba4fa1665e -r 9d3dc44c9c22 extensions/radius_gw/rgw_clients.c --- a/extensions/radius_gw/rgw_clients.c Mon Jun 01 18:20:48 2009 +0900 +++ b/extensions/radius_gw/rgw_clients.c Mon Jun 01 18:21:15 2009 +0900 @@ -353,12 +353,58 @@ /* If these conditions are not met, the message is probably forged (well, this might be false...) */ if ((! msg->valid_nas_info) && (nas_ip || nas_ip6)) { + /* + In RADIUS it would be possible for a rogue NAS to forge the NAS-IP- + Address attribute value. Diameter/RADIUS translation agents MUST + check a received NAS-IP-Address or NAS-IPv6-Address attribute against + the source address of the RADIUS packet. If they do not match and + the Diameter/RADIUS translation agent does not know whether the + packet was sent by a RADIUS proxy or NAS (e.g., no Proxy-State + attribute), then by default it is assumed that the source address + corresponds to a RADIUS proxy, and that the NAS Address is behind + that proxy, potentially with some additional RADIUS proxies in + between. The Diameter/RADIUS translation agent MUST insert entries + in the Route-Record AVP corresponding to the apparent route. This + implies doing a reverse lookup on the source address and NAS-IP- + Address or NAS-IPv6-Address attributes to determine the corresponding + FQDNs. + + If the source address and the NAS-IP-Address or NAS-IPv6-Address do + not match, and the Diameter/RADIUS translation agent knows that it is + talking directly to the NAS (e.g., there are no RADIUS proxies + between it and the NAS), then the error should be logged, and the + packet MUST be discarded. + + Diameter agents and servers MUST check whether the NAS-IP-Address AVP + corresponds to an entry in the Route-Record AVP. This is done by + doing a reverse lookup (PTR RR) for the NAS-IP-Address to retrieve + the corresponding FQDN, and by checking for a match with the Route- + Record AVP. If no match is found, then an error is logged, but no + other action is taken. + */ TRACE_DEBUG(INFO, "Message received with a NAS-IP-Address or NAS-IPv6-Address different from the sender's. Discarding..."); - return EINVAL; + return ENOTSUP; } /* Now check the nas_id */ if (nas_id) { + /* + In RADIUS it would be possible for a rogue NAS to forge the NAS- + Identifier attribute. Diameter/RADIUS translation agents SHOULD + attempt to check a received NAS-Identifier attribute against the + source address of the RADIUS packet, by doing an A/AAAA RR query. If + the NAS-Identifier attribute contains an FQDN, then such a query + would resolve to an IP address matching the source address. However, + the NAS-Identifier attribute is not required to contain an FQDN, so + such a query could fail. If it fails, an error should be logged, but + no action should be taken, other than a reverse lookup on the source + address and insert the resulting FQDN into the Route-Record AVP. + + Diameter agents and servers SHOULD check whether a NAS-Identifier AVP + corresponds to an entry in the Route-Record AVP. If no match is + found, then an error is logged, but no other action is taken. + */ + /* copy the alias */ char * str; int found, ret; diff -r f0ba4fa1665e -r 9d3dc44c9c22 extensions/radius_gw/sub_auth.c --- a/extensions/radius_gw/sub_auth.c Mon Jun 01 18:20:48 2009 +0900 +++ b/extensions/radius_gw/sub_auth.c Mon Jun 01 18:21:15 2009 +0900 @@ -137,7 +137,6 @@ return EINVAL; } - return ENOTSUP; }