eap Mailing List: Re: [HOKEY] ERX fraud issue

[Bernard Aboba (bernard_aboba]

> For hotspot or dial-up, the passwords are sent in clear-text. This
> gives the visited operators the ability to invent sessions.

[BA] Fair enough.
 
> Hokey restricts ERX to within one domain (I think Glen said that in
> the meeting), so the above restriction will apply to Hokey, too. This
> means that the only vulnerability Hokey has to fraudulent operators is
> their ability to use ERX to generate *multiple* authentications for the
> same user.

[BA] This is where I get confused.  As far as I can tell, the DSRK request
can be inserted by *any* proxy on the path.  So I'm not sure how the
restrictions is implemented in practice.

> This fraud can be detected and prevented if Hokey ties each ERX
> session to the original EAP session. (It's not immediately obvious from
> a scan of ERX-13 how this happens). i.e. Any accounting stream from an
> ERX authentication should be tied to the original EAP authentication.
> The home server can then validate that it is receiving one, and only
> one, accounting stream that results from an EAP authentication.

[BA] It would certainly help for the subsequent ERX accounting records to
be tied to the original EAP session (e.g. via use of the same Multi-Session-Id).
But it would still be necessary to tie the ERX accounting records to
an authentication that terminates at the home ERX server, not just
the local ERX server.

> I think that the ERX server MUST be within the same domain as the AAA
> server: the visited domain.

[BA] If the ERX server and AAA server are both in the visited domain, why refer
to a "local" ERX server and a "home" ERX server?  I thought that the
applicability statement proposed refers to inter-domain use.

> That would be best, I think.

[BA] I agree that the restrictions you describe would address the issue,
but I'm still confused as to whether the solution scope includes those
restrictions or not.