RadSec FR3.0 to Radiator: "Received packet will be too large"
Stefan Winter
stefan.winter at restena.lu
Thu Feb 23 07:43:44 CET 2012
Hi,
>> We're piloting RadSec as a federation server uplink. They use Radiator. When we first attempted to connect we'd get
>> a "Received packet will be too large!" carp from main/tls.c. They checked on their end and say they have no fragment
>> size option for RadSec TLS connections, only for EAP-TLS connections.
The above doesn't make much sense to me... there are size limits in
RADIUS, but not regarding the TLS stream around them. The limits in
question are:
- EAP-Message total length must be <= MTU between NAS and device (EAP
cannot be fragmented on layer 2)
- RADIUS datagram total length 4096 Bytes (arbitrary RFC limit)
The RADIUS/TLS wrapper around those datagrams is not size-limited at all
- it carries streams on "n" RADIUS datagrams. The TCP stack will take
care of sending the data in chunks like with any other TCP based protocol.
My guess is that main/tls.c "thinks" it operates within a EAP context
and tries to warn of too big data chunks, while there is actually
nothing to warn about.
Greetings,
Stefan Winter
>>
>> So we applied the below as a test and it works, but I was wondering as to the wisdom of it...
>
> interesting....a RADSEC packet can be much bigger than that too - 2048 gives some room for a big
> certificate - but not if its double-chained with intermediate and its got a nice security size
> instead of being a little 512bit RSA one. typically EAP-TLS can be fragmented on the server due
> to it going through to the end-clients ..and being UDP things get a little nasty...whereas with RADSEC
> theres no reason why a single TCP request couldnt be quite large and needing to be fragmented
> by the routers....
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
More information about the Freeradius-Users
mailing list