aland at deployingradius.com
Tue Jan 16 15:50:28 CET 2007
Valts Mazurs wrote:
> In my implementation requests from unauthorized clients (as in
> FreeRADIUS - whose IP address is not found in clients.conf) are not put
> into the queue at all. I decided to ignore them completely.
That's what the RFC's say, because it's a good idea. But look at the
following scenario, which actually happened in a FreeRADIUS installation.
Something went wrong in a customer site, and they continually tried to
login. As soon as they logged in, they logged off again. The result
was a DoS from a *known* client.
Using a FILO queue means that it's likely that most of the "new"
requests are from the broken user, so *good* users get blocked. A FIFO
queue isn't a whole lot better, but FreeRADIUS also limits the queue
size. So the bad user is more likely to get blocked than good users,
and if users wait long enough, they get on the net.
Again, your ideas are interesting, but not realistic. Many of the
FreeRADIUS developers have been working with RADIUS for over a decade
(nearly 15 years for some), and there are often good reasons why
"optimizations" are not done.
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Devel