Tom Lane wrote: > Hm ... seems to me that is a network security problem, not our problem. > Who's to say one of the spoofed packets won't pass verification?
The packets are signed with a shared key. Passing verification means either the attacker knows the key, or the attacker has broken MD5 in ways that are currently unknown. > If you want to change it, I won't stand in the way, but I have real > doubts about both the credibility of this threat and the usefulness > of the proposed fix. The credibility of the threat is high. Anyone can trivially send a packet which will cause authentication to fail. This is a DoS attack. The usefulness of the fix is to mitigate the threat, and the implement the security features mandated by RFC 2865. It's also how *all* RADIUS implementations work. Alan DeKok. -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
