In EAP, the authenticator is responsible for retransmission. By default EAP assumes that the lower layer (the application in this context) is unreliable. The authenticator can send a packet whenever its retransmission timer triggers. In this mode, applications need to process EAP messages at any time during the authentication conversation.
Alternatively, EAP permits a lower layer to set the retransmission timer to infinite. In this case, the lower layer is responsible for reliable delivery of EAP messages. Applications that use a lock-step or client-driven authentication protocol might benefit from this approach. In addition to retransmission behavior applications need to deal with discarded EAP messages. Whenever some EAP methods receive erroneous input, these methods discard the input rather than generating an error response. If the erroneous input was generated by an attacker, legitimate input can sometimes be received after the erroneous input. Applications MUST handle an EAP method discarding a message, although the specific way in which discarded messages will be handled depend on the characteristics of the application. Options include failing the authentication at the application level and waiting for additional EAP input, possibly after an EAP retransmit. Specifications of how EAP is used for application authentication SHOULD document how retransmission and message discards are handled. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
