RADIUS/UDP and the DF bit

Stefan Winter stefan.winter at restena.lu
Tue Aug 18 12:00:01 CEST 2009


> many of these problems are created by firewalls configured to
> throw away fragmented UDP (eg Solaris by default will discard
> fragmented packets).

Yes, that's the problem we faced and eliminated about a year ago in
eduroam. The issue at hand is that your firewall will likely never
encounter a fragment because the originating hosts prevents fragmenting
in the first place.

> obviously UDP fragments are quite right and can be DoS material...
> but if you ensure only your RADIUS proxies to national proxies
> can actually have fragmented UDP then it fixes things nicely.

In a protocol like RADIUS UDP fragments can occur alright, and
preventing them from the OS layer just breaks RADIUS. Many many people
in eduroam who use EAP-TLS can sing a song of failed authentications at
random places, when it worked alright at home.

Admitted, this enables DoS onto 1812/UDP with non-first fragments, but
too bad. Fragment support is *required* for proper RADIUS operation.

>> on the same host. Luckily, IPv6 doesn't seem to be affected since MTU
>> discovery works differently there (AFAIK).
> it does :-)

Thanks :-)



Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

More information about the Freeradius-Devel mailing list