On 06/04/2012 05:53 PM, Brian Candler wrote:
If I wanted to do a DoS attack, I would simply submit valid-looking (but non-existent) realms, or indeed invalid usernames at valid realms, which would force the proxying all the way through to the end server for that realm.
Sure. Sanitising doesn't protect against even slightly determined attacks. But it is an improvement over no sanitisation at all - experience in the eduroam environment has demonstrated that.
Also, I would expect that the majority of typos would result in "valid"
You'd be surprised! We see some extraordinary stuff; I'm not even sure how some of it gets typed in by the user. I think the username with a newline / "\n" in it was the most impressive...
domains, or at least valid by that regexp's definition of valid. A robust network would be able to cope with those sort of typos too.
Ideally, yes. Unfortunately RADIUS is an old protocol, and layering the kind of semantics required on top of it, especially when some participants in the roaming network insist on using crappy RADIUS servers (i.e. NOT FR) is tricky. Sanitisation is really a very small part of that, but it's helpful nonetheless.
However I won't argue with you guys who have operational experience of eduroam. If you say pre-validation is a good idea then it is.
In that case though, I would be inclined to write a validation regexp which fully matches the ABNF in RFC 2486.
IIRC that's actually very difficult, maybe impossible, with classic regexps. Maybe it's possible with the PCRE path I added a while back, but I'm not sure.