TCP transport again

Stefan Winter stefan.winter at restena.lu
Mon Sep 28 11:56:25 CEST 2009


Hi,

> Should have made clearer that I asking "payload being spread across 
> several packets" rather than "why do EAP packets need to be large".
>   

You can control the amount of EAP Bytes to be transferred in one RADIUS
message from server to client (eap_fragment_size). Setting it lower will
avoid fragmentation on most scenarios. But not deterministically: an
itnermediate proxy may add more attributes to its liking, so your packet
can still grow beyond the local frag size limit at that point.
The second uneasy scenario: if you use EAP-TLS, the *client* will send
(potentially large) certificates itself. As the server operator, you
have no control over supplicant EAP fragment size settings. In that
case, the packet coming back from the client may need to be fragmented
anyway.
There's no real way to circumvent that (unless you have full control
over the client side), which as a corollary means: make sure your
infrastructure can handle fragments properly to be prepared. Unsetting
DF is one part, having sane firewalls that treat fragmented packets in a
dignified manner is another one.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473




More information about the Freeradius-Devel mailing list