Alan DeKok aland at deployingradius.com
Mon Sep 25 20:16:18 CEST 2006

"Alexander Schrab" <Alexander.Schrab at axis.com> wrote:
> Well, not really. That is the most simple way of doing it. But there are
> several other ways that are better. One possible idea is to use part of
> the nonce as a signature of the rest of the nonce. And part of the nonce
> can be a time stamp. This way the impact of replay attacks and DoS
> attacks can be minimized. Anyhow, you can do it a lot more complicated
> than random :)

  If you do send random nonces, you have to protect against replay
attacks.  Putting a timestamp in the nonce means that it's easier to
protect against replays.

  The issue is somewhat similar in the use of the State attribute.  I
think it's easiest to put common code in the server core to do this.

  Alan DeKok.
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Devel mailing list