I just created a really simple one, and it was less than 1K in size. However, this assumes that it is not signed. If you sign it then it will quickly jump in size as you are going to be looking at have a certificate and a signature included in the message which will likely be greater than 4K.
Jim > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Alejandro Perez Mendez > Sent: Monday, February 11, 2013 2:01 AM > To: Sam Hartman > Cc: [email protected]; [email protected] > Subject: Re: [abfab] Fwd: New Version Notification for draft-perez-radext- > radius-fragmentation-05.txt > > > > Hi, Alex. > > > > With my draft-ietf-abfab-aaa-saml hat on, I have a problem with one of > > the proposed changes: > > > > * Fragmentation can only occur after authentication. Clients wanting to > send > > large amounts of data can signal this situation on the first > > Access-Request, but the exchange will happen after authentication is > > completed for security reasons. > > > > > > Unfortunately some of the use cases for SAML involve looking at the > > SAML request to determine what authentication would be acceptable. As > > an example, we need to look at the LOA to determine what EAP methods > > are acceptable. > Hi Sam, > > do you expect this data to be so large that makes the first Access-Request > packet to exceed the limit? It is not avoiding SAML data to be on the packet, > just avoiding the use of fragmentation for security reasons. When using EAP, > the first Access-Request is usually small, as it only contains EAP-Identity. > Hence, almost 4KB would be available for SAML data. > > Regards, > Alejandro > > > As such, we do actually need to be able to send things like SAML > > requests prior to authentication. > > > > So, I'd like to better understand the reasons for this change. > > If it's DOS concerns, I would prefer to revert the change and simply > > note the concern in security considerations. > > > > Also, from a DOS standpoint, since the entity being authenticated is > > the user, not the NAS, I'd like to understand how you're better off > > from a DOS standpoint after authentication. > > > > --Sam > > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
