Andriy Gapon <avg@icyb.net.ua> wrote:
I think that it would be nice if list of such situations could be configurable and extensible.
No. Dropping the packet is a security decision and there is no reason to make it configurable.
For example, there are some RADIUS-related solutions/drafts out there that require requests being silently dropped if they don't have Message-Authenticator or have incorrect value of Message-Authenticator. Neither can be done now with FreeRADIUS without modifying its source code.
Then we will modify the source code to add those cases, like we did when EAP support was added.
1. have a configurable list of attributes that require Message-Authenticator (so that I could put Message-Digest there, for example, in addition to EAP-Message)
Then people will edit the list to break the server. No.
2. have a configuration knob that could tell "drop all incoming messages without Message-Authenticator"
That could be done.
3. do Message-Authenticator value validation in rad_recv() (this could be configurable too, defaulting to current behavior)
No. It's a perfomance issue.
Even more flexible would be a capability to silently drop packet in any (auth) module, but I think that it would require a lot of work. BTW, there is a bug report in FreeRADIUS bugzilla related to this (it's not mine): http://bugs.freeradius.org/show_bug.cgi?id=313
It's a bad idea, it violates the RFC's, and it makes your network more unstable. Alan DeKok.