rfc6929 - tlv attributes in extended attribute 246

Vereecke, Katrien (Nokia - BE) katrien.vereecke at nokia.com
Mon Apr 4 15:09:02 CEST 2016


Hello,

I see a difference in behavior for a tlv attribute in an extended attribute 246 in FreeRadius version 3.0.x and FreeRadius version 3.1.x.

My dictionary contains the following attributes:
BEGIN-VENDOR    Alcatel-IPD format=Extended-Vendor-Specific-6
ATTRIBUTE Alcatel-IPD-Ext-6-TestAttr-1  1  integer
ATTRIBUTE Alcatel-IPD-Ext-6-TestAttr-2  2  string
ATTRIBUTE Alcatel-IPD-Ext-6-TestAttr-3  3  tlv
ATTRIBUTE Alcatel-IPD-Ext-6-TestAttr-3-1  3.1 string
ATTRIBUTE Alcatel-IPD-Ext-6-TestAttr-3-2  3.2 tlv
ATTRIBUTE Alcatel-IPD-Ext-6-TestAttr-3-2-1  3.2.1 string
END-VENDOR      Alcatel-IPD

I have the following attributes in my users file:
Alcatel-IPD-Ext-6-TestAttr-2 = "test3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLenAttention",
Alcatel-IPD-Ext-6-TestAttr-3-1 = "testattr_3_1",
Alcatel-IPD-Ext-6-TestAttr-3-2-1 =  "testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1",

The output of the freeRadius server in version 3.0.x :
The access-Accept message:
(2) Sent Access-Accept Id 14 from 138.203.10.191:1812 to 138.203.10.123:64388 length 0
....
.....
(2)   Alcatel-IPD-Ext-6-TestAttr-2 = "test3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLente"
(2)   Alcatel-IPD-Ext-6-TestAttr-3-1 = "testattr_3_1"
(2)   Alcatel-IPD-Ext-6-TestAttr-3-2-1 = "testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr"

The output of the FreeRadius server in version 3.1.x:
(0)    Alcatel-IPD-Ext-6-TestAttr-2 = "test3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLentest3FragWithLongLente"
(0)    Alcatel-IPD-Ext-6-TestAttr-3-1 = "testattr_3_1"
(0)    Alcatel-IPD-Ext-6-TestAttr-3-2-1 = "testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr_3_2_1testAttr"

Although the output of the FreeRadius server shows the same output in version 3.0.x and version 3.1.x , wiresharks shows that there is a difference in the access-accept packet sent,
In version 3.0.x the packet contains all the information for the tlv attribute  Alcatel-IPD-Ext-6-TestAttr-3_xx while in version 3.1.x I only see the attribute Alcatel-IPD-Ext-6-TestAttr-3-1.

Wireshark for version 3.0.x:
Frame 623: 1223 bytes on wire (9784 bits), 1223 bytes captured (9784 bits) on interface 0
Ethernet II, Src: SuperMic_a2:12:54 (00:25:90:a2:12:54), Dst: SuperMic_57:a0:76 (00:25:90:57:a0:76)
Internet Protocol Version 4, Src: 138.203.10.191, Dst: 138.203.10.123
User Datagram Protocol, Src Port: 1812 (1812), Dst Port: 64388 (64388)
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0xe (14)
    Length: 2661
    Authenticator: a01937c98d28165fc4c238e5cd8867cd
    [This is a response to a request in frame 615]
    [Time from request: 0.000860000 seconds]
    Attribute Value Pairs
        AVP: l=7 t=Unknown-Attribute(241): 060000003c
        ....
        AVP: l=255 t=Unknown-Attribute(246): 1a800000197f02746573743346726167576974684c6f6e67...
        AVP: l=147 t=Unknown-Attribute(246): 1a00726167576974684c6f6e674c656e7465737433467261...
        AVP: l=255 t=Unknown-Attribute(246): 1a800000197f03010e74657374617474725f335f3102ff01...
        AVP: l=27 t=Unknown-Attribute(246): 1a00417474725f335f325f3174657374417474725f335f32...
        AVP: l=7 t=Unknown-Attribute(243): 0b00000005
        AVP: l=7 t=Unknown-Attribute(243): 0b00000006
       ....
        AVP: l=11 t=Reply-Message(18): Welcome!\n

Wireshark for version 3.1.x:
Frame 516: 638 bytes on wire (5104 bits), 638 bytes captured (5104 bits) on interface 0
Ethernet II, Src: SuperMic_a2:12:54 (00:25:90:a2:12:54), Dst: SuperMic_57:a0:76 (00:25:90:57:a0:76)
Internet Protocol Version 4, Src: 138.203.10.191, Dst: 138.203.10.123
User Datagram Protocol, Src Port: 1812 (1812), Dst Port: 64384 (64384)
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0xf (15)
    Length: 2076
    Authenticator: 4545fca0176c445525748ced32857ae1
    [This is a response to a request in frame 502]
    [Time from request: 0.003358000 seconds]
    Attribute Value Pairs
        AVP: l=7 t=Unknown-Attribute(241): 060000003c
        ....
        AVP: l=255 t=Unknown-Attribute(246): 1a800000197f02746573743346726167576974684c6f6e67...
        AVP: l=147 t=Unknown-Attribute(246): 1a00726167576974684c6f6e674c656e7465737433467261...
        AVP: l=23 t=Unknown-Attribute(246): 1a000000197f03010e74657374617474725f335f31
        AVP: l=7 t=Unknown-Attribute(243): 0b00000005
        AVP: l=7 t=Unknown-Attribute(243): 0b00000006
        ....
        AVP: l=11 t=Reply-Message(18): Welcome!\n

I think the behavior of the FreeRadius version v3.0.x is ok.  The access-accept contains the attribute Alcatel-IPD-Ext-6-TestAttr-3-1 and the attribute Alcatel-IPD-Ext-6-TestAttr-3-2-1 is partially in the first fragment and in the second fragment for the max length of 255 bytes.
This is not the case in FreeRadius version v3.1.x?

Thanks,
Kind regards,
Katrien.



More information about the Freeradius-Users mailing list