RADIUS/UDP and the DF bit

Stefan Winter stefan.winter at restena.lu
Tue Aug 18 10:01:22 CEST 2009 

Hello,

now this is unpleasant: Apparently, many OSes set the DF bit on every
datagram they send, if Path MTU discovery is turned on. Even on UDP packets.
This breaks your RADIUS communication if datagram > MTU. I have reason
to believe that this has led to numerous problems with EAP-TLS in
eduroam, for example.

It is of course not in principle a FreeRADIUS problem, but an OS one
(speaking here of Linux in particular), but other software like BIND
takes precautions against that and I think it might be good to do the
same in FreeRADIUS as well (i.e. explicitly disable IP_DONTFRAG socket
option).

To illustrate the problem (FR 2.1.6 on a host called radius-1):

09:54:55.234018 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 291) tld1.eduroam.lu.56581 >
radius-1.restena.lu.radius: [udp sum ok] RADIUS, length: 263
09:54:55.234315 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 314) radius-1.restena.lu.tdp-suite >
eomund.restena.lu.radius: [udp sum ok] RADIUS, length: 286
09:54:55.241858 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto
UDP (17), length 1123) eomund.restena.lu.radius >
radius-1.restena.lu.tdp-suite: [udp sum ok] RADIUS, length: 1095
09:54:55.242170 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 1118) radius-1.restena.lu.radius >
tld1.eduroam.lu.56581: [udp sum ok] RADIUS, length: 1090

"Flags [DF]" means pain.

One workaround is to disable Path MTU discovery on the IP layer of the
host (/proc/sys/net/ipv4/ip_no_pmtu_disc), but obviously, that's a bad
workaround since it will ruin Path MTU discovery for every TCP service
on the same host. Luckily, IPv6 doesn't seem to be affected since MTU
discovery works differently there (AFAIK).

The BIND sources have a small workaround in their socket code to get
around that:

#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
                /*
                 * Turn off Path MTU discovery on IPv4/UDP sockets.
                 */
                if (sock->pf == AF_INET) {
                        int action = IP_PMTUDISC_DONT;
                        (void)setsockopt(sock->fd, IPPROTO_IP,
IP_MTU_DISCOVER,
                                         &action, sizeof(action));
                }
#endif
#if defined(IP_DONTFRAG)
                /*
                 * Turn off Path MTU discovery on IPv4/UDP sockets.
                 */
                if (sock->pf == AF_INET) {
                        int off = 0;
                        (void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG,
                                         &off, sizeof(off));
                }
#endif


May I suggest to do a similar thing in FreeRADIUS?

The same happens on Radiator BTW, and I will post a similar message to
these guys as well.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

More information about the Freeradius-Devel mailing list