Mercurial > hg > waaad
changeset 396:9d3dc44c9c22
Added comments from RFC4005
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Mon, 01 Jun 2009 18:21:15 +0900 |
parents | f0ba4fa1665e |
children | a84144eea96c |
files | extensions/radius_gw/rgw_clients.c extensions/radius_gw/sub_auth.c |
diffstat | 2 files changed, 47 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/extensions/radius_gw/rgw_clients.c Mon Jun 01 18:20:48 2009 +0900 +++ b/extensions/radius_gw/rgw_clients.c Mon Jun 01 18:21:15 2009 +0900 @@ -353,12 +353,58 @@ /* If these conditions are not met, the message is probably forged (well, this might be false...) */ if ((! msg->valid_nas_info) && (nas_ip || nas_ip6)) { + /* + In RADIUS it would be possible for a rogue NAS to forge the NAS-IP- + Address attribute value. Diameter/RADIUS translation agents MUST + check a received NAS-IP-Address or NAS-IPv6-Address attribute against + the source address of the RADIUS packet. If they do not match and + the Diameter/RADIUS translation agent does not know whether the + packet was sent by a RADIUS proxy or NAS (e.g., no Proxy-State + attribute), then by default it is assumed that the source address + corresponds to a RADIUS proxy, and that the NAS Address is behind + that proxy, potentially with some additional RADIUS proxies in + between. The Diameter/RADIUS translation agent MUST insert entries + in the Route-Record AVP corresponding to the apparent route. This + implies doing a reverse lookup on the source address and NAS-IP- + Address or NAS-IPv6-Address attributes to determine the corresponding + FQDNs. + + If the source address and the NAS-IP-Address or NAS-IPv6-Address do + not match, and the Diameter/RADIUS translation agent knows that it is + talking directly to the NAS (e.g., there are no RADIUS proxies + between it and the NAS), then the error should be logged, and the + packet MUST be discarded. + + Diameter agents and servers MUST check whether the NAS-IP-Address AVP + corresponds to an entry in the Route-Record AVP. This is done by + doing a reverse lookup (PTR RR) for the NAS-IP-Address to retrieve + the corresponding FQDN, and by checking for a match with the Route- + Record AVP. If no match is found, then an error is logged, but no + other action is taken. + */ TRACE_DEBUG(INFO, "Message received with a NAS-IP-Address or NAS-IPv6-Address different from the sender's. Discarding..."); - return EINVAL; + return ENOTSUP; } /* Now check the nas_id */ if (nas_id) { + /* + In RADIUS it would be possible for a rogue NAS to forge the NAS- + Identifier attribute. Diameter/RADIUS translation agents SHOULD + attempt to check a received NAS-Identifier attribute against the + source address of the RADIUS packet, by doing an A/AAAA RR query. If + the NAS-Identifier attribute contains an FQDN, then such a query + would resolve to an IP address matching the source address. However, + the NAS-Identifier attribute is not required to contain an FQDN, so + such a query could fail. If it fails, an error should be logged, but + no action should be taken, other than a reverse lookup on the source + address and insert the resulting FQDN into the Route-Record AVP. + + Diameter agents and servers SHOULD check whether a NAS-Identifier AVP + corresponds to an entry in the Route-Record AVP. If no match is + found, then an error is logged, but no other action is taken. + */ + /* copy the alias */ char * str; int found, ret;