addition to policy.conf

Phil Mayers p.mayers at
Tue Jun 5 12:44:38 CEST 2012

On 06/04/2012 05:53 PM, Brian Candler wrote:

> If I wanted to do a DoS attack, I would simply submit valid-looking (but
> non-existent) realms, or indeed invalid usernames at valid realms, which
> would force the proxying all the way through to the end server for that
> realm.

Sure. Sanitising doesn't protect against even slightly determined 
attacks. But it is an improvement over no sanitisation at all - 
experience in the eduroam environment has demonstrated that.

> Also, I would expect that the majority of typos would result in "valid"

You'd be surprised! We see some extraordinary stuff; I'm not even sure 
how some of it gets typed in by the user. I think the username with a 
newline / "\n" in it was the most impressive...

> domains, or at least valid by that regexp's definition of valid. A robust
> network would be able to cope with those sort of typos too.

Ideally, yes. Unfortunately RADIUS is an old protocol, and layering the 
kind of semantics required on top of it, especially when some 
participants in the roaming network insist on using crappy RADIUS 
servers (i.e. NOT FR) is tricky.

Sanitisation is really a very small part of that, but it's helpful 

> However I won't argue with you guys who have operational experience of
> eduroam.  If you say pre-validation is a good idea then it is.
> In that case though, I would be inclined to write a validation regexp which
> fully matches the ABNF in RFC 2486.

IIRC that's actually very difficult, maybe impossible, with classic 
regexps. Maybe it's possible with the PCRE path I added a while back, 
but I'm not sure.

More information about the Freeradius-Devel mailing list