Hi,
many of these problems are created by firewalls configured to throw away fragmented UDP (eg Solaris by default will discard fragmented packets).
Yes, that's the problem we faced and eliminated about a year ago in eduroam. The issue at hand is that your firewall will likely never encounter a fragment because the originating hosts prevents fragmenting in the first place.
obviously UDP fragments are quite right and can be DoS material... but if you ensure only your RADIUS proxies to national proxies can actually have fragmented UDP then it fixes things nicely.
In a protocol like RADIUS UDP fragments can occur alright, and preventing them from the OS layer just breaks RADIUS. Many many people in eduroam who use EAP-TLS can sing a song of failed authentications at random places, when it worked alright at home. Admitted, this enables DoS onto 1812/UDP with non-first fragments, but too bad. Fragment support is *required* for proper RADIUS operation.
on the same host. Luckily, IPv6 doesn't seem to be affected since MTU discovery works differently there (AFAIK).
it does :-)
Thanks :-) Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473