On 1999-06-18T08:37:13,
Lars Marowsky-Bree <[EMAIL PROTECTED]> said:
> First thing which comes to my mind is that fact that TCP will lose packets
> just like UDP on saturated links - it just provides a buildin recovery
> mechanism, it resends the packets. The RADIUS protocol does this too.
>
> One might arrive at the conclusion that if you have serious packet loss on
> your internal backbone, you are screwed anyway ;-)
Now, what I meant to say but forgot: There is a certain horror scenario
associated with the fact that TCP not only gives you reliable, but also
ordered delivery.
Lets say you actually have packet loss and your NAS gets 10 connections in
quick succession. Only the first packet sent to the server gets lost (either
the UDP packet or the first TCP packet).
What happens?
The rest of the UDP packets arrive fine, and get authorised quickly. The
failed packet gets retransmitted after 1-2 seconds, depending on your timeout.
The rest of the TCP packets do not get through to the RADIUS server, because
the first one is missing, and you get the TCP/IP stream only after it has been
successfully retransmitted. This delays all other requests behind the failed
on too, maybe triggering timeouts on the NAS and causing the NAS to retransmit
the query to the RADIUS server at the leaf site, which would probably require
duplicate detection code to not retransmit to the server in this case.
The effect can be lessened by opening, lets say, 5 parallel connections from
the leaf site to the master server and using them round-robin, but this
doesn't solve the problem completely.
And TCP/IP has quite some interesting timeouts before admitting failure, which
are absolutely inacceptable for RADIUS. (And the fact that it admits failure
and takes the entire send queue down, and not just the failed packet)
(This is unlikely to occur, but anyway: If it is the _bitpattern_ in the first
packet which causes the transmit to fail (been there done that), it would kill
the whole TCP connection over which it is send, since it could never be
transmitted - in the UDP case, only this one auth would fail)
Encryption: Yes. (Should be no problem from .au) Cool idea for colocated
servers etc. Maybe even a smarter retransmit thing than the current RADIUS
protocol.
TCP? Not IMHO.
Sincerely,
Lars Marowsky-Br�e
--
Lars Marowsky-Br�e
Network Management
teuto.net Netzdienste GmbH - DPN Verbund-Partner
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
