addition to policy.conf
Brian Candler
B.Candler at pobox.com
Mon Jun 4 18:53:02 CEST 2012
On Mon, Jun 04, 2012 at 10:45:53AM +0100, Phil Mayers wrote:
> On 06/03/2012 08:38 PM, Brian Candler wrote:
>
> >
> >The same argument applies to RADIUS proxying IMO.
>
> As others have suggested, this is not a great idea.
>
> One specific technical problem is that, for a given source port &
> destination proxy, you can only have ~255 radius packets in-flight
> at any given moment, because of the limited radius ID space.
>
> If you don't sanitise input before proxying, an accidental or
> malicious attempt to authenticate to a roaming consortium member
> could potentially cause denial of service on one or more proxies in
> the hierarchy (and in fact, this very thing has happened in
> eduroam).
If I wanted to do a DoS attack, I would simply submit valid-looking (but
non-existent) realms, or indeed invalid usernames at valid realms, which
would force the proxying all the way through to the end server for that
realm.
Also, I would expect that the majority of typos would result in "valid"
domains, or at least valid by that regexp's definition of valid. A robust
network would be able to cope with those sort of typos too.
However I won't argue with you guys who have operational experience of
eduroam. If you say pre-validation is a good idea then it is.
In that case though, I would be inclined to write a validation regexp which
fully matches the ABNF in RFC 2486.
Regards,
Brian.
More information about the Freeradius-Devel
mailing list