| Q: EAP retransmission & fragmentation | <– Date –> <– Thread –> |
From: Mahesh Kelkar (mkelkar rocketmail.com)
|
|
| Date: Tue, 7 Jun 2005 17:13:20 -0400 (EDT) | |
Consider an example where...
- EAP-server & Radius Server lie on the same backend
authentication server.
- Access Point(AP)/NAS acts as a passthrough for the EAP
auth negotiation.
- EAP-client lies on the peer.
- EAP authentication is negotiated between EAP-server &
EAP-client.
Question 1) Who is supposed to retransmit the EAP packets?
EAP-server or AP?
- According to RFC2716 EAP-server should retransmit the EAP
packets (section 3.2 - Retry Behavior - "As with other EAP
protocols, the EAP server is responsible for retry
behavior")
- According to RFC3748 AP should retransmit the EAP packets
(4.1 - Request and Response - "Implementation Note: The
authenticator is responsible for retransmitting Request
messages. If the Request message is obtained from
elsewhere (such as from a backend authentication server),
then the authenticator will need to save a copy of the
Request in order to accomplish this.")
- According to RFC 3579, AP should retransmit the EAP
packets (2.3 - Retransmission - As noted in [RFC2284], if
an EAP packet is lost in transit between the authenticating
peer and the NAS (or vice versa), the NAS will retransmit)
Which one is true?
I think it is very unnatural for AP to retransmit the
packets. Because it is acting as a pass-though and
shouldn't be involved in caching the packets & keeping
track of it.
Question 2)
Normally, EAP-server is instructed to fragment the
EAP-packets to the size of FRAMED-MTU (transmitted in the
Radius Access request). Lets say if we have an EAP-server
or Radius Server that does not comply with this and
fragments the packet to the size more than the link MTU
between AP & the peer.
Now, AP will have to fragment the EAP packet using the
fragmentation specified by the authentication method (TLS
in this case). And each fragment will require a unique
identifier.
In this case how do we manage the identification fields of
the EAP packets? Because if we don't then EAP-response from
peer, reassembled at the AP, will definitely have a
different id than the original id of the EAP request
packet.
Also, can we fragment the EAP-TLS fragment in order to fit
it within the link MTU?
Thanks
Mahesh
__________________________________
Discover Yahoo!
Get on-the-go sports scores, stock quotes, news and more. Check it out!
http://discover.yahoo.com/mobile.html
-
Q: EAP retransmission & fragmentation Mahesh Kelkar, June 7 2005
-
Re: Q: EAP retransmission & fragmentation Artur Hecker, June 8 2005
- Re: Q: EAP retransmission & fragmentation Mahesh Kelkar, June 8 2005
- Re: Q: EAP retransmission & fragmentation Bernard Aboba, June 9 2005
- Re: Q: EAP retransmission & fragmentation Mahesh Kelkar, June 17 2005
-
Re: Q: EAP retransmission & fragmentation Artur Hecker, June 8 2005
Results generated by Tiger Technologies using MHonArc.