about eap_handler
blue_11j at yahoo.co.jp
blue_11j at yahoo.co.jp
Tue Jun 24 11:59:31 CEST 2008
Thank you for your reply.
Alan DeKok <aland at deployingradius.com> wrote:
> blue_11j at yahoo.co.jp wrote:
> > but it look like that:
> > When radiusd received EAP-Identify request,
> > eaplist_add(inst, handler) called in eap_authenticate()
> > in rlm_eap.c,
> > and the handler is allocated by eap_handler_alloc()
> > in eap_handler() in eap.c.
>
> Hmm... OK. So long as one non-identity packet comes through, this
> shouldn't be a problem.
Yes,
It is the problem that received malicious "EAP Identity DoS attack".
> But OK, I'll look into fixing that in the next release.
if possible, we want to fix that in FR 1.1.7.
Which way better do you think ?
- in eaplist_add(), expire the eap_handler same as
eaplist_find().
or..
- if it continue to receive EAP Identity over limit number,
no more add to list and ignore.
(if it receive non-identity packet, reset counter).
or other way ...
--------------------------------------
GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points!
http://pr.mail.yahoo.co.jp/ganbare-nippon/
More information about the Freeradius-Users
mailing list