Jouni Malinen wrote:
The main (well, more or less, the only) reason for that limit on number of round trips is to work around issues where the EAP peer and server ended up in an infinite loop ACKing their messages. I would prefer to change that to be based on whether any real progress has been made during the last round trip or two, i.e., to remove the hard limit and allow as many round trips as it takes to get through the authentication (or whatever else one adds into EAP, e.g., TNC). It would be nicer to support the whatever maximum length is described for EAP-TLS or TNC, but not at the cost of bringing back interop issues that may result in infinite authentication loops.
Defining "progress" per EAP type may be difficult.
Anyway, the only case I remember of someone discussing the round trip limit as a too strict limit was for TNC, not for certificate sizes. If someone is really using huge certificates (or well, long enough chain to make the total size of the TLS message long) in real world, I would like to make sure it can be done. I just haven't come up with a real use case so far.
Yes, I recall those discussions related to TNC and NEA a while ago.
From what I see in the standards now, there is no reason for *bulk* transfer of data over EAP. The TNC standards require pretty small data transfers.
And even if wpa_supplicant is changed, it will be difficult to change the millions of AP's out there. Alan DeKok.