Re: fragmented ipv4[udp] ignored by server.

Tom Smyth Sun, 05 Mar 2023 14:28:10 -0800

Hi Mikhael,
Moving this on to Misc List as it is more approiaate for support type
requests,


It may not be OpenbSD,  that is ignoring the fragments, depending on your
setup
an intermediate device ( NAT router etc) could be proccessing the IP
fragments incorrectly and or dropping them...
IP fragments are a pain as they dont really match the protocol of the
original packet  and  have all sorts of issues when traversing multipath
(hashed) multipath  routes between the source and destination..
cloudflare have a really good article on this
https://blog.cloudflare.com/ip-fragmentation-is-broken/

Hope this is of help...


On Sun, 5 Mar 2023 at 22:04, Mikhael Lialin <soult...@gmail.com> wrote:

> Hi.
>
> I'm successfully configured eap tls with freeradius.
>
> However with default value for fragment_size in wpa_supplicant.conf
> which equals 1398 - packets get fragmented and seems ignored by the server.
>
> Both systems are openbsd 7.2
>
> here is output from thsark:
>
> --target radius--
> 9 124.886123   10.10.2.10 ? 10.10.2.1    RADIUS 188 Access-Request id=0
> 10 124.894967    10.10.2.1 ? 10.10.2.10   RADIUS 106 Access-Challenge id=0
> 11 124.914163   10.10.2.10 ? 10.10.2.1    RADIUS 373 Access-Request id=1
> 12 125.010446    10.10.2.1 ? 10.10.2.10   RADIUS 1320 Access-Challenge id=1
> 13 125.014979   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request id=2
> 14 125.032537    10.10.2.1 ? 10.10.2.10   RADIUS 1320 Access-Challenge id=2
> 15 125.034214   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request id=3
> 16 125.045650    10.10.2.1 ? 10.10.2.10   RADIUS 300 Access-Challenge id=3
>
>
> --source eapol_test with wpa_supplicant.conf---
>
> 1   0.000000   10.10.2.10 ? 10.10.2.1    RADIUS 188 Access-Request id=0
> 2   0.011025    10.10.2.1 ? 10.10.2.10   RADIUS 106 Access-Challenge id=0
> 3   0.027023   10.10.2.10 ? 10.10.2.1    RADIUS 373 Access-Request id=1
> 4   0.126651    10.10.2.1 ? 10.10.2.10   RADIUS 1320 Access-Challenge id=1
> 5   0.127440   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request id=2
> 6   0.148742    10.10.2.1 ? 10.10.2.10   RADIUS 1320 Access-Challenge id=2
> 7   0.149411   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request id=3
> 8   0.161846    10.10.2.1 ? 10.10.2.10   RADIUS 300 Access-Challenge id=3
> 9   0.179447   10.10.2.10 ? 10.10.2.1    IPv4 1514 Fragmented IP
> protocol (proto=UDP 17, off=0, ID=b444)
> 10   3.193244   10.10.2.10 ? 10.10.2.1    IPv4 1514 Fragmented IP
> protocol (proto=UDP 17, off=0, ID=b576)
> 11   9.213196   10.10.2.10 ? 10.10.2.1    IPv4 1514 Fragmented IP
> protocol (proto=UDP 17, off=0, ID=ef21)
> 12  21.233280   10.10.2.10 ? 10.10.2.1    IPv4 1514 Fragmented IP
> protocol (proto=UDP 17, off=0, ID=00d0)
>
> eapol_test fails
>
> setting fragment_size = 1212 in wpa_supplicant.conf and getting success.
>
> output from tshark:
>
> --target radius--
> 1   0.000000   10.10.2.10 ? 10.10.2.1    RADIUS 188 Access-Request id=0
> 2   0.006613    10.10.2.1 ? 10.10.2.10   RADIUS 106 Access-Challenge id=0
> 3   0.024538   10.10.2.10 ? 10.10.2.1    RADIUS 373 Access-Request id=1
> 4   0.104617    10.10.2.1 ? 10.10.2.10   RADIUS 1320 Access-Challenge id=1
> 5   0.106355   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request id=2
> 6   0.114877    10.10.2.1 ? 10.10.2.10   RADIUS 1320 Access-Challenge id=2
> 7   0.118679   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request id=3
> 8   0.128309    10.10.2.1 ? 10.10.2.10   RADIUS 300 Access-Challenge id=3
> 9   0.145442   10.10.2.10 ? 10.10.2.1    RADIUS 1415 Access-Request id=4
> 10   0.160230    10.10.2.1 ? 10.10.2.10   RADIUS 106 Access-Challenge id=4
> 11   0.161621   10.10.2.10 ? 10.10.2.1    RADIUS 1372 Access-Request id=5
> 12   0.262102    10.10.2.1 ? 10.10.2.10   RADIUS 161 Access-Challenge id=5
> 13   0.263753   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request id=6
> 14   0.281330    10.10.2.1 ? 10.10.2.10   RADIUS 226 Access-Accept id=6
>
> --source eapol_test with wpa_supplicant.conf---
>
>      1   0.000000   10.10.2.10 ? 10.10.2.1    RADIUS 188 Access-Request
> id=0
>      2   0.010060    10.10.2.1 ? 10.10.2.10   RADIUS 106
> Access-Challenge id=0
>      3   0.023662   10.10.2.10 ? 10.10.2.1    RADIUS 373 Access-Request
> id=1
>      4   0.108072    10.10.2.1 ? 10.10.2.10   RADIUS 1320
> Access-Challenge id=1
>      5   0.108734   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request
> id=2
>      6   0.118632    10.10.2.1 ? 10.10.2.10   RADIUS 1320
> Access-Challenge id=2
>      7   0.119341   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request
> id=3
>      8   0.132026    10.10.2.1 ? 10.10.2.10   RADIUS 300
> Access-Challenge id=3
>      9   0.147236   10.10.2.10 ? 10.10.2.1    RADIUS 1415 Access-Request
> id=4
>     10   0.163300    10.10.2.1 ? 10.10.2.10   RADIUS 106
> Access-Challenge id=4
>     11   0.164158   10.10.2.10 ? 10.10.2.1    RADIUS 1372 Access-Request
> id=5
>     12   0.265514    10.10.2.1 ? 10.10.2.10   RADIUS 161
> Access-Challenge id=5
>     13   0.266328   10.10.2.10 ? 10.10.2.1    RADIUS 191 Access-Request
> id=6
>     14   0.284607    10.10.2.1 ? 10.10.2.10   RADIUS 226 Access-Accept id=6
>
> Question: How to avoid altering fragment_size to get this working ?
>
> Some clients could not be set so easily like phones.
>
> Thank you.
>
> Mikhael.
>
>

-- 
Kindest regards,
Tom Smyth.

Re: fragmented ipv4[udp] ignored by server.

Reply via email to