RADIUS/UDP and the DF bit

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Tue Aug 18 11:47:45 CEST 2009

> Hello,
> now this is unpleasant: Apparently, many OSes set the DF bit on every
> datagram they send, if Path MTU discovery is turned on. Even on UDP packets.
> This breaks your RADIUS communication if datagram > MTU. I have reason
> to believe that this has led to numerous problems with EAP-TLS in
> eduroam, for example.

many of these problems are created by firewalls configured to
throw away fragmented UDP (eg Solaris by default will discard
fragmented packets).

obviously UDP fragments are quite right and can be DoS material...
but if you ensure only your RADIUS proxies to national proxies
can actually have fragmented UDP then it fixes things nicely.

> on the same host. Luckily, IPv6 doesn't seem to be affected since MTU
> discovery works differently there (AFAIK).

it does :-)


More information about the Freeradius-Devel mailing list