rfc4590
Alan DeKok
aland at deployingradius.com
Mon Sep 25 20:16:18 CEST 2006
"Alexander Schrab" <Alexander.Schrab at axis.com> wrote:
> Well, not really. That is the most simple way of doing it. But there are
> several other ways that are better. One possible idea is to use part of
> the nonce as a signature of the rest of the nonce. And part of the nonce
> can be a time stamp. This way the impact of replay attacks and DoS
> attacks can be minimized. Anyhow, you can do it a lot more complicated
> than random :)
If you do send random nonces, you have to protect against replay
attacks. Putting a timestamp in the nonce means that it's easier to
protect against replays.
The issue is somewhat similar in the use of the State attribute. I
think it's easiest to put common code in the server core to do this.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Devel
mailing list