addition to policy.conf
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jun 5 12:44:38 CEST 2012
On 06/04/2012 05:53 PM, Brian Candler wrote:
> If I wanted to do a DoS attack, I would simply submit valid-looking (but
> non-existent) realms, or indeed invalid usernames at valid realms, which
> would force the proxying all the way through to the end server for that
> realm.
Sure. Sanitising doesn't protect against even slightly determined
attacks. But it is an improvement over no sanitisation at all -
experience in the eduroam environment has demonstrated that.
>
> Also, I would expect that the majority of typos would result in "valid"
You'd be surprised! We see some extraordinary stuff; I'm not even sure
how some of it gets typed in by the user. I think the username with a
newline / "\n" in it was the most impressive...
> domains, or at least valid by that regexp's definition of valid. A robust
> network would be able to cope with those sort of typos too.
Ideally, yes. Unfortunately RADIUS is an old protocol, and layering the
kind of semantics required on top of it, especially when some
participants in the roaming network insist on using crappy RADIUS
servers (i.e. NOT FR) is tricky.
Sanitisation is really a very small part of that, but it's helpful
nonetheless.
>
> However I won't argue with you guys who have operational experience of
> eduroam. If you say pre-validation is a good idea then it is.
>
> In that case though, I would be inclined to write a validation regexp which
> fully matches the ABNF in RFC 2486.
IIRC that's actually very difficult, maybe impossible, with classic
regexps. Maybe it's possible with the PCRE path I added a while back,
but I'm not sure.
More information about the Freeradius-Devel
mailing list