The problem is that some EAP methods (e.g. most non-TLS based methods) don't
support fragmentation, so in practice I'm not sure that all existing methods
would work over a 500 octet MTU.
--------------------------------------------------
From: "Alan DeKok" <[EMAIL PROTECTED]>
Sent: Thursday, October 25, 2007 12:33 AM
To: <[EMAIL PROTECTED]>
Cc: "Internet Area" <[email protected]>
Subject: Re: [Int-area] DCHP-based authentication for DSL?
Richard Pruss wrote:
The fragmentation size problem may be addressed by the relay agent
having the role of EAP authenticator, as it splits the EAP traffic into
RADIUS out of DHCP, and DHCP messages should be normally sized to the
server.
RADIUS packets are maximum 4k in size, so RADIUS wouldn't be the
limiting factor. What is the limiting factor is EAPoL, where packets
can't be fragmented. Most RADIUS servers already look for a MTU in the
Access-Request, and limit the size of EAP responses on their end, so
that the EAP data will fit into one Ethernet packet.
My tests on various implementations show that RADIUS servers and
802.1x supplicants appear to work with MTUs set very low, such as 100
octets. The result is a LOT more RADIUS traffic than normal, but the
authentication process succeeds.
So limiting the DHCP packet sizes to 500 octets shouldn't affect the
operation EAP. Similar issues apply to PANA, where there is IP and UDP
overhead on top of what would otherwise be EAPoL.
Alan DeKok.
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
