about eap_handler

blue_11j at yahoo.co.jp blue_11j at yahoo.co.jp
Tue Jun 24 11:59:31 CEST 2008


Thank you for your reply.

Alan DeKok <aland at deployingradius.com> wrote:

> blue_11j at yahoo.co.jp wrote:
> > but it look like that: 
> >   When radiusd received EAP-Identify request,
> >   eaplist_add(inst, handler) called in eap_authenticate()
> >   in rlm_eap.c,
> >   and the handler is allocated by eap_handler_alloc()
> >   in eap_handler() in eap.c.
> 
>   Hmm...  OK.  So long as one non-identity packet comes through, this
> shouldn't be a problem.

Yes,
It is the problem that received malicious "EAP Identity DoS attack".


>   But OK, I'll look into fixing that in the next release.

if possible, we want to fix that in FR 1.1.7.
Which way better do you think ?
- in eaplist_add(), expire the eap_handler same as
  eaplist_find().
or..
- if it continue to receive EAP Identity over limit number,
  no more add to list and ignore.
   (if it receive non-identity packet, reset counter).
or other way ...



--------------------------------------
GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points!
http://pr.mail.yahoo.co.jp/ganbare-nippon/



More information about the Freeradius-Users mailing list