IETF Logo Mail Archive

Re: [Int-area] DCHP-based authentication for DSL?

Alan DeKok <aland@nitros9.org> Thu, 25 October 2007 07:34 UTC

Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IkxEi-0002Rp-K0; Thu, 25 Oct 2007 03:34:36 -0400
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1IkxEh-0002RO-Ar for int-area-confirm+ok@megatron.ietf.org; Thu, 25 Oct 2007 03:34:35 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IkxEg-0002M0-Sn for int-area@lists.ietf.org; Thu, 25 Oct 2007 03:34:34 -0400
Received: from www.deployingradius.com ([216.240.42.17] helo=deployingradius.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IkxEY-0001hP-9p for int-area@lists.ietf.org; Thu, 25 Oct 2007 03:34:32 -0400
Received: from [10.0.1.38] (alexander.quiconnect.net [213.30.156.62]) by deployingradius.com (Postfix) with ESMTP id 6AFB5A704E; Thu, 25 Oct 2007 00:33:54 -0700 (PDT)
Message-ID: <472046D9.5030903@nitros9.org>
Date: Thu, 25 Oct 2007 09:33:45 +0200
From: Alan DeKok <aland@nitros9.org>
User-Agent: Thunderbird 2.0.0.6 (X11/20071022)
MIME-Version: 1.0
To: ric@cisco.com
Subject: Re: [Int-area] DCHP-based authentication for DSL?
References: <005501c81555$6f49f360$ba3dfea9@ad.redback.com> <471F0F26.4070006@uninett.no> <471FACDD.3000707@cisco.com> <C087AF58-A3DF-40CC-9AB2-BE30E3657A00@cisco.com> <471FB475.3020409@cisco.com>
In-Reply-To: <471FB475.3020409@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
Cc: Internet Area <int-area@lists.ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org

Richard Pruss wrote:
> The fragmentation size problem may be addressed by the relay agent
> having the role of EAP authenticator, as it splits the EAP traffic into
> RADIUS out of DHCP, and DHCP messages should be normally sized to the
> server.

  RADIUS packets are maximum 4k in size, so RADIUS wouldn't be the
limiting factor.  What is the limiting factor is EAPoL, where packets
can't be fragmented.  Most RADIUS servers already look for a MTU in the
Access-Request, and limit the size of EAP responses on their end, so
that the EAP data will fit into one Ethernet packet.

  My tests on various implementations show that RADIUS servers and
802.1x supplicants appear to work with MTUs set very low, such as 100
octets.  The result is a LOT more RADIUS traffic than normal, but the
authentication process succeeds.

  So limiting the DHCP packet sizes to 500 octets shouldn't affect the
operation EAP.  Similar issues apply to PANA, where there is IP and UDP
overhead on top of what would otherwise be EAPoL.

  Alan DeKok.


_______________________________________________
Int-area mailing list
Int-area@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email