IETF Logo Mail Archive

[radext] Client ID exhaustion

Stefan Winter <stefan.winter@restena.lu> Wed, 26 April 2017 12:43 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45FCA129B7E for <radext@ietfa.amsl.com>; Wed, 26 Apr 2017 05:43:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RP_MATCHES_RCVD=-0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ArZC64svteZ for <radext@ietfa.amsl.com>; Wed, 26 Apr 2017 05:43:20 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD6E3129B37 for <radext@ietf.org>; Wed, 26 Apr 2017 05:43:19 -0700 (PDT)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 487264397C for <radext@ietf.org>; Wed, 26 Apr 2017 14:43:17 +0200 (CEST)
To: radext@ietf.org
From: Stefan Winter <stefan.winter@restena.lu>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Message-ID: <f521cd74-028d-33e7-4b94-0a9d65bd7d37@restena.lu>
Date: Wed, 26 Apr 2017 14:43:16 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="E2EPhuu5MGv8IEBJfPu7EO7Huq8D754pT"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/I5cKJOGL4xB0ZL6kQFCxbmZT_Eg>
Subject: [radext] Client ID exhaustion
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 12:43:21 -0000

Hello,


we keep hearing assertions on the list that change is needed regarding
the ID field in RADIUS.


I would like to recall RFC2865's section 2.5


"If a

   NAS needs more than 256 IDs for outstanding requests, it MAY use
   additional source ports to send requests from, and keep track of IDs
   for each source port.  This allows up to 16 million or so outstanding
   requests at one time to a single server."


It's fairly clear that implementations which do not follow the MAY will
run into exhaustion problems rather soon.

It's less clear that implementations which do follow this MAY still do.
We've heard finger-in-the-air calculations on the list that this may
become a problem earlier than one might think. But is there actual
evidence to that end in deployed reality?

Can someone please share their experience regarding a deployment and
implementation which DOES implement the MAY above but STILL runs out of
RADIUS packet IDs?

Obviously, for those implementors which do not implement the MAY, the
suggestion would be to implement that before trying to make protocol
changes. The corresponding advice in RFC2865 may be 17 years old now,
but that doesn't mean it is not good advice.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

v2.23.0 | Report a Bug | By Email