addition to policy.conf

Brian Candler B.Candler at pobox.com
Mon Jun 4 18:53:02 CEST 2012


On Mon, Jun 04, 2012 at 10:45:53AM +0100, Phil Mayers wrote:
> On 06/03/2012 08:38 PM, Brian Candler wrote:
> 
> >
> >The same argument applies to RADIUS proxying IMO.
> 
> As others have suggested, this is not a great idea.
> 
> One specific technical problem is that, for a given source port &
> destination proxy, you can only have ~255 radius packets in-flight
> at any given moment, because of the limited radius ID space.
> 
> If you don't sanitise input before proxying, an accidental or
> malicious attempt to authenticate to a roaming consortium member
> could potentially cause denial of service on one or more proxies in
> the hierarchy (and in fact, this very thing has happened in
> eduroam).

If I wanted to do a DoS attack, I would simply submit valid-looking (but
non-existent) realms, or indeed invalid usernames at valid realms, which
would force the proxying all the way through to the end server for that
realm.

Also, I would expect that the majority of typos would result in "valid"
domains, or at least valid by that regexp's definition of valid. A robust
network would be able to cope with those sort of typos too.

However I won't argue with you guys who have operational experience of
eduroam.  If you say pre-validation is a good idea then it is.

In that case though, I would be inclined to write a validation regexp which
fully matches the ABNF in RFC 2486.

Regards,

Brian.


More information about the Freeradius-Devel mailing list