silently drop packet (access-request)
Alan DeKok
aland at ox.org
Thu Feb 9 18:08:14 CET 2006
Andriy Gapon <avg at icyb.net.ua> wrote:
> I think that it would be nice if list of such situations could be
> configurable and extensible.
No.
Dropping the packet is a security decision and there is no reason to
make it configurable.
> For example, there are some RADIUS-related solutions/drafts out
> there that require requests being silently dropped if they don't
> have Message-Authenticator or have incorrect value of
> Message-Authenticator. Neither can be done now with FreeRADIUS
> without modifying its source code.
Then we will modify the source code to add those cases, like we did
when EAP support was added.
> 1. have a configurable list of attributes that require
> Message-Authenticator (so that I could put Message-Digest there, for
> example, in addition to EAP-Message)
Then people will edit the list to break the server. No.
> 2. have a configuration knob that could tell "drop all incoming messages
> without Message-Authenticator"
That could be done.
> 3. do Message-Authenticator value validation in rad_recv() (this could
> be configurable too, defaulting to current behavior)
No. It's a perfomance issue.
> Even more flexible would be a capability to silently drop packet in any
> (auth) module, but I think that it would require a lot of work. BTW,
> there is a bug report in FreeRADIUS bugzilla related to this (it's not
> mine):
> http://bugs.freeradius.org/show_bug.cgi?id=313
It's a bad idea, it violates the RFC's, and it makes your network
more unstable.
Alan DeKok.
More information about the Freeradius-Users
mailing list