about eap_handler
Hi, I'm sorry that I am not good at English because I'm Japanese... I have a question about eap_handler. I understand that... if radiusd recieved EAP-Identify packet, eap_handler is allocated and added to eaplist. if radiusd will be not received next EAP packet(except EAP-Identiry) forever, When is the eap_handler deleted from the eaplist and freed ? will radiusd use too large memory by 'Dos attack using EAP-Identiry' ? -------------------------------------- GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points! http://pr.mail.yahoo.co.jp/ganbare-nippon/
blue_11j@yahoo.co.jp wrote:
if radiusd will be not received next EAP packet(except EAP-Identiry) forever, When is the eap_handler deleted from the eaplist and freed ?
See the source code. eaplist_find() will remove expired sessions from the list.
will radiusd use too large memory by 'Dos attack using EAP-Identiry' ?
It is difficult to tell the difference between a lot of people trying to log in, and a DoS attack. If you have suggestions... Alan DeKok.
Thank you for your reply.
if radiusd will be not received next EAP packet(except EAP-Identiry) forever, When is the eap_handler deleted from the eaplist and freed ?
See the source code. eaplist_find() will remove expired sessions from the list.
I found calling eaplist_find() in eap.c, if (eap_packet->data[0] != PW_EAP_IDENTITY) { handler = eaplist_find(inst, request, eap_packet); .... } If radiusd continue receiving EAP-Identiry packet only (it is malicious attack, not many trying to login.), is eaplist_find() called ? -------------------------------------- GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points! http://pr.mail.yahoo.co.jp/ganbare-nippon/
blue_11j@yahoo.co.jp wrote:
I found calling eaplist_find() in eap.c, if (eap_packet->data[0] != PW_EAP_IDENTITY) { handler = eaplist_find(inst, request, eap_packet); .... }
If radiusd continue receiving EAP-Identiry packet only (it is malicious attack, not many trying to login.), is eaplist_find() called ?
No. But this doesn't matter, because EAP-Identity requests aren't put into the list. Again, this is in the source code. Alan DeKok.
If radiusd continue receiving EAP-Identiry packet only (it is malicious attack, not many trying to login.), is eaplist_find() called ?
No. But this doesn't matter, because EAP-Identity requests aren't put into the list.
Again, this is in the source code.
I'm sorry ... but it look like that: When radiusd received EAP-Identify request, eaplist_add(inst, handler) called in eap_authenticate() in rlm_eap.c, and the handler is allocated by eap_handler_alloc() in eap_handler() in eap.c. -------------------------------------- GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points! http://pr.mail.yahoo.co.jp/ganbare-nippon/
blue_11j@yahoo.co.jp wrote:
but it look like that: When radiusd received EAP-Identify request, eaplist_add(inst, handler) called in eap_authenticate() in rlm_eap.c, and the handler is allocated by eap_handler_alloc() in eap_handler() in eap.c.
Hmm... OK. So long as one non-identity packet comes through, this shouldn't be a problem. But OK, I'll look into fixing that in the next release. Alan DeKok.
Thank you for your reply. Alan DeKok <aland@deployingradius.com> wrote:
blue_11j@yahoo.co.jp wrote:
but it look like that: When radiusd received EAP-Identify request, eaplist_add(inst, handler) called in eap_authenticate() in rlm_eap.c, and the handler is allocated by eap_handler_alloc() in eap_handler() in eap.c.
Hmm... OK. So long as one non-identity packet comes through, this shouldn't be a problem.
Yes, It is the problem that received malicious "EAP Identity DoS attack".
But OK, I'll look into fixing that in the next release.
if possible, we want to fix that in FR 1.1.7. Which way better do you think ? - in eaplist_add(), expire the eap_handler same as eaplist_find(). or.. - if it continue to receive EAP Identity over limit number, no more add to list and ignore. (if it receive non-identity packet, reset counter). or other way ... -------------------------------------- GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points! http://pr.mail.yahoo.co.jp/ganbare-nippon/
blue_11j@yahoo.co.jp wrote:
if possible, we want to fix that in FR 1.1.7.
I don't think there is a need to fix it in 1.1.7.
Which way better do you think ? - in eaplist_add(), expire the eap_handler same as eaplist_find(). or.. - if it continue to receive EAP Identity over limit number, no more add to list and ignore. (if it receive non-identity packet, reset counter). or other way ...
Both. I have committed a fix to CVS head that: - limits the number of sessions (2k is the default) - expires sessions in eaplist_add() Alan DeKok.
Alan DeKok <aland@deployingradius.com> wrote:
Both. I have committed a fix to CVS head that:
- limits the number of sessions (2k is the default) - expires sessions in eaplist_add()
thank you. I will try to make a patch for FR-1.1.7. -------------------------------------- GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points! http://pr.mail.yahoo.co.jp/ganbare-nippon/
Both. I have committed a fix to CVS head that:
I tried to make a patch for FR-1.1.7 like that fix. but, When it continue to receive EAP-Identity only(Dos Attack), 1) growing up memory usage of radiusd. 2) over max_sessions, growing up memory usage stopped. it is ok. 3) but, starting expiring old handler and add new handler, growing up memory usage of radiusd, again. to expiring eap handler, only call eap_handler_free() ? is there other memory leak still ? do you have any idea ? another question, do you think about that... to ignoring EAP-Identity when over max_sessions, what kind of state is should return at eap_authenticate()? PW_MODULE_FAIL or NOOP or REJECT ? # I'm sorry, do you understand my english? --- blue_11j@yahoo.co.jp wrote:
Alan DeKok <aland@deployingradius.com> wrote:
Both. I have committed a fix to CVS head that:
- limits the number of sessions (2k is the default) - expires sessions in eaplist_add()
thank you. I will try to make a patch for FR-1.1.7.
-------------------------------------- GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points! http://pr.mail.yahoo.co.jp/ganbare-nippon/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------------------------------- Power up the Internet with Yahoo! Toolbar. http://pr.mail.yahoo.co.jp/toolbar/
blue_11j@yahoo.co.jp wrote:
I tried to make a patch for FR-1.1.7 like that fix.
but, When it continue to receive EAP-Identity only(Dos Attack), 1) growing up memory usage of radiusd. 2) over max_sessions, growing up memory usage stopped. it is ok. 3) but, starting expiring old handler and add new handler, growing up memory usage of radiusd, again.
to expiring eap handler, only call eap_handler_free() ?
Yes.
is there other memory leak still ?
No idea. Use "valgrind" to see what's going on. And please don't spend effort on 1.1.7. It is old, unsupported, and all new development is on the 2.0 branch.
to ignoring EAP-Identity when over max_sessions, what kind of state is should return at eap_authenticate()? PW_MODULE_FAIL or NOOP or REJECT ?
FAIL.
# I'm sorry, do you understand my english?
Your english is fine. Alan DeKok.
Hi, I have read in list that, *Steffen Bartsch *was planning to develop a module for a TNC server linking freeradius with libtnc. (in 2007) Does someone know something about it? Regards, Fernando.
Fernando wrote:
I have read in list that, *Steffen Bartsch *was planning to develop a module for a TNC server linking freeradius with libtnc. (in 2007)
Does someone know something about it?
Download the latest version of the server. Look for the TNC module. Alan DeKok.
Alan DeKok wrote:
Fernando wrote:
I have read in list that, *Steffen Bartsch *was planning to develop a module for a TNC server linking freeradius with libtnc. (in 2007)
Does someone know something about it?
Download the latest version of the server. Look for the TNC module.
The last version works with libtnc?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fernando wrote:
Alan DeKok wrote:
Fernando wrote:
I have read in list that, *Steffen Bartsch *was planning to develop a module for a TNC server linking freeradius with libtnc. (in 2007)
Does someone know something about it?
Download the latest version of the server. Look for the TNC module.
The last version works with libtnc? callTNCS = (ExchangeTNCCSMessagePointer) getProcAddress(handle, "exchangeTNCCSMessages"); This is the link to perform a dialog between Freeradius and the TNCS?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
blue_11j@yahoo.co.jp -
Fernando