silently drop packet (access-request)

Andriy Gapon avg at icyb.net.ua
Thu Feb 9 15:57:26 CET 2006


Alan,

thank you very much for your reply. Sorry if my reply breaks message
threading for you - I am replying based on the web-archive as I don't
receive this list by email.

Alan DeKok wrote:
> Andriy Gapon <avg at icyb.net.ua> wrote:
>> Is there a way to force a silent drop of a packet instead of sending
>> Access-Reject ?
> 
>   No.
> 
>> On a somewhat related note: is there way to make FreeRADIUS server
>> drop/reject all incoming packets without Message-Authenticator the same
>> way it does this for packets with invalid/incorrect value in that
>> attribute ? Preferably through configuration, without changes in code.
> 
> $ man users
> 
> DEFAULT Message-Authenticator !* 0x00, Auth-Type := Reject

It seems that I was a little bit confused in my assumptions about
dropping and rejecting. Do I understand correctly now that a packet is
dropped only if rad_recv() returns NULL and in all other cases reply is
sent ?

If this is correct, then a packet is dropped only in two cases related
to Message-Authenticator - (1) if length of this attribute is invalid;
(2) if EAP-Message is present but Message-Authenticator is not.

I think that it would be nice if list of such situations could be
configurable and extensible. For example, there are some RADIUS-related
solutions/drafts out there that require requests being silently dropped
if they don't have Message-Authenticator or have incorrect value of
Message-Authenticator. Neither can be done now with FreeRADIUS without
modifying its source code. Please note that I am talking now only about
dropping requests, not rejecting them. Rejecting is very easy as your
example shows (thanks a lot for it!).

Maybe the following would be good enhancements (if they are not too hard
to implement):
1. have a configurable list of attributes that require
Message-Authenticator (so that I could put Message-Digest there, for
example, in addition to EAP-Message)
2. have a configuration knob that could tell "drop all incoming messages
without Message-Authenticator"
3. do Message-Authenticator value validation in rad_recv() (this could
be configurable too, defaulting to current behavior)

Even more flexible would be a capability to silently drop packet in any
(auth) module, but I think that it would require a lot of work. BTW,
there is a bug report in FreeRADIUS bugzilla related to this (it's not
mine):
http://bugs.freeradius.org/show_bug.cgi?id=313


What do you think about such extensions ? Will code contributions be
welcomed for them ?

-- 
Andriy Gapon



More information about the Freeradius-Users mailing list