On Mon, Jun 04, 2012 at 10:45:53AM +0100, Phil Mayers wrote:
On 06/03/2012 08:38 PM, Brian Candler wrote:
The same argument applies to RADIUS proxying IMO.
As others have suggested, this is not a great idea.
One specific technical problem is that, for a given source port & destination proxy, you can only have ~255 radius packets in-flight at any given moment, because of the limited radius ID space.
If you don't sanitise input before proxying, an accidental or malicious attempt to authenticate to a roaming consortium member could potentially cause denial of service on one or more proxies in the hierarchy (and in fact, this very thing has happened in eduroam).
If I wanted to do a DoS attack, I would simply submit valid-looking (but non-existent) realms, or indeed invalid usernames at valid realms, which would force the proxying all the way through to the end server for that realm. Also, I would expect that the majority of typos would result in "valid" domains, or at least valid by that regexp's definition of valid. A robust network would be able to cope with those sort of typos too. However I won't argue with you guys who have operational experience of eduroam. If you say pre-validation is a good idea then it is. In that case though, I would be inclined to write a validation regexp which fully matches the ABNF in RFC 2486. Regards, Brian.