Valts Mazurs wrote:
In my implementation requests from unauthorized clients (as in FreeRADIUS - whose IP address is not found in clients.conf) are not put into the queue at all. I decided to ignore them completely.
That's what the RFC's say, because it's a good idea. But look at the following scenario, which actually happened in a FreeRADIUS installation. Something went wrong in a customer site, and they continually tried to login. As soon as they logged in, they logged off again. The result was a DoS from a *known* client. Using a FILO queue means that it's likely that most of the "new" requests are from the broken user, so *good* users get blocked. A FIFO queue isn't a whole lot better, but FreeRADIUS also limits the queue size. So the bad user is more likely to get blocked than good users, and if users wait long enough, they get on the net. Again, your ideas are interesting, but not realistic. Many of the FreeRADIUS developers have been working with RADIUS for over a decade (nearly 15 years for some), and there are often good reasons why "optimizations" are not done. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog