Skip to main content

7. Security Considerations

RFC 9965 permits unknown, anonymous, unauthenticated devices to request network access. Operators must strictly limit that access. Future specifications that register NAIs should describe the network access to be provided.

On-path attackers are a central risk. Public credentials and skipped server validation can make attacks succeed where they would normally fail. EAP peers and servers MUST assume that all EAP-session data is visible to attackers and can be modified. These methods MUST only bootstrap initial network access.

Provisioning networks should allow only traffic needed for the current method. DNS recursive resolvers SHOULD NOT be exposed on provisioning networks. Operators should limit available services, concurrent devices, per-device rate, total time on the network, and total transferred data.