Re: Ordered delivery of EAP messages

Alan DeKok <mailto:alanddeployingradius.com>
allegedly scribbled on
Wednesday, March 07, 2007 5:45 AM:

> Alper Yegin wrote:
>> RFC 2865 says:
>> 
>>       The RADIUS server can detect a duplicate
request if
>>       it has the same client source IP address and
source UDP port
>>       and Identifier within a short span of time.
>> 
>> This, to me, implies duplicate detection on the
server side does not
>> rely on orderly delivery. Keeping the history for
"a short span of
>> time" allows duplicate detection irrespective
of the order the
>> requests come in. 
> 
>   Yes.  All well-behaved RADIUS servers do this. 
RADIUS servers that
> *don't* do this can led to believe that a user has
logged in twice,
> when the second attempt was just a duplicate. 
> 
>> As for the responses... Assuming the RADIUS client
transmitted a
>> request twice (first one timed out), if it receives
one of the
>> responses, would it still accept the second
(duplicate) response if
>> it arrives as well? 
> 
>   What do you mean "accept"?  The client has
already had a response
> to the first transmission.  The only safe thing to do
here is to
> silently discard the response to the re-transmitted
request. 
> Ideally, this case SHOULD be separated from the case of
unsolicited
> or spoofed "replies" by the client also
caching requests for a period
> of time.     
> 
>> Wouldn't
>> the RADIUS client just drop the second response
because there is no
>> outstanding request to match anymore?
> 
>   That is the safest thing to do, yes.

All of these things make total sense but AFAICT none are
actually
mandated by RFC 2865. 

> 
>   Alan DeKok.
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap