RadSec FR3.0 to Radiator: "Received packet will be too large"

Stefan Winter stefan.winter at restena.lu
Thu Feb 23 07:43:44 CET 2012


Hi,

>> We're piloting RadSec as a federation server uplink.  They use Radiator.  When we first attempted to connect we'd get
>> a "Received packet will be too large!" carp from main/tls.c.  They checked on their end and say they have no fragment
>> size option for RadSec TLS connections, only for EAP-TLS connections.

The above doesn't make much sense to me... there are size limits in 
RADIUS, but not regarding the TLS stream around them. The limits in 
question are:

- EAP-Message total length must be <= MTU between NAS and device (EAP 
cannot be fragmented on layer 2)
- RADIUS datagram total length 4096 Bytes (arbitrary RFC limit)

The RADIUS/TLS wrapper around those datagrams is not size-limited at all 
- it carries streams on "n" RADIUS datagrams. The TCP stack will take 
care of sending the data in chunks like with any other TCP based protocol.

My guess is that main/tls.c "thinks" it operates within a EAP context 
and tries to warn of too big data chunks, while there is actually 
nothing to warn about.

Greetings,

Stefan Winter

>>
>> So we applied the below as a test and it works, but I was wondering as to the wisdom of it...
>
> interesting....a RADSEC packet can be much bigger than that too - 2048 gives some room for a big
> certificate - but not if its double-chained with intermediate and its got a nice security size
> instead of being a little 512bit RSA one.  typically EAP-TLS can be fragmented on the server due
> to it going through to the end-clients ..and being UDP things get a little nasty...whereas with RADSEC
> theres no reason why a single TCP request couldnt be quite large and needing to be fragmented
> by the routers....
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et 
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



More information about the Freeradius-Users mailing list