eap Mailing List: Re: [HOKEY] ERX fraud issue

[Bernard_Aboba (Bernard_Aboba]

>  A proxy inserting a DSRK for the purposes of faking authentication
> would presumably do so without the cooperation of the visited network.
> The proxy would then have to filter the accounting traffic from the
> visited network.

[BA] Ah... so you are saying that the forgery can be detected by looking
for overlap in the time sequence of user activity?  This seems like a
fairly intensive check, though.

>  This is where a 3 party *reconciliation* protocol would be beneficial.
> If the visited network, proxies, and home network all share their
> accounting data, fraud is easier to detect.

[BA] I was looking for something simpler, such as a mechanism that
would enable checking of a ERX auth exchange with the home server
against subsequent accounting records sent by the local ERX server.
For example, if the peer were to use ERX to tell the home server what
local domain it is in, then the home server could ensure that it only
accepts accounting records from that domain, and no other ones.

> > [BA] It would certainly help for the subsequent ERX accounting records to
> > be tied to the original EAP session (e.g. via use of the same
> > Multi-Session-Id).
>
>  Not many systems implement Multi-Session-Id.  It may be simpler just
> to require the accounting records for the visited network to be
> consistent.  i.e. when a user moves to a new NAS, the records could be
> sent through the visited network AAA server, which could do the
> necessary data massaging to create a canonical accounting stream.

[BA] That would be fine too, as long as the home server knows what
visited network the accounting data is supposed to come from.