| Re: Q: EAP retransmission & fragmentation | <– Date –> <– Thread –> |
From: Mahesh Kelkar (mkelkar juniper.net)
|
|
| Date: Fri, 17 Jun 2005 10:15:06 -0400 (EDT) | |
Thanks Bernard for the response. However, I am still uncertain
about few things. Hence I have outlined an example below that
would help me post a set of clear questions.
=========================>>>>>>>>>>>>>>>>>>>
Here is the example-2 from the section 3.8 of the RFC 2716
(PPP EAP TLS Authentication Protocol).
******If following figure does not fit into your email editor,
please copy the figure & paste it into a notepad.***************
In this case EAP server & Radius Server are situated on the
Backend Authentication Server. AP/NAS hosts the Radius Client &
PPP Server. And Peer hosts the PPP client & EAP client
+-------------------+ +-------------------+ +-------------------+
| Backend | | Access Point (AP) | | Peer/Client |
| Authentication | | or NAS or | | |
| Server | | EAP Authenticator | | |
| +------+ +------+ | | +------+ +------+ | | +------+ +------+ |
| | | | | | | | | | | | | | | | | |
| |EAP | |Radius|<--->|Radius| |PPP |<--->|PPP | |EAP | |
| |Server| |Server| | | |Client| |Server| | | |Client| |Client| |
| | | | | | | | | | | | | | | | | |
| +------+ +------+ | | +------+ +------+ | | +------+ +------+ |
| : : | | : : | | : : |
+-------------------+ +-------------------+ +-------------------+
: : : : : :
| | | | (1) | |
| | | |<---------->| |
| | | | (2) | |
| | | |------------+------>|
| | | | (3) | |
|<-------+-----------+---------+------------+-------|
| | | | (4) | |
|--------+-----------+---------+------------+------>|
| | | | (5) | |
|<-------+-----------+---------+------------+-------|
| | | | (6) | |
|--------+-----------+---------+------------+------>|
| | | | (7) | |
|<-------+-----------+---------+------------+-------|
| | | | (8) | |
|--------+-----------+---------+------------+------>|
| | | | (9) | |
|<-------+-----------+---------+------------+-------|
| | | | (10) | |
|--------+-----------+---------+------------+------>|
| | | | (11) | |
|<-------+-----------+---------+------------+-------|
| | | | (12) | |
|--------+-----------+---------+------------+------>|
| | | | (13) | |
|<-------+-----------+---------+------------+-------|
| | | | (14) | |
|--------+-----------+---------+------------+------>|
| | | | (15) | |
|<-------+-----------+---------+------------+-------|
| | | | (16) | |
|--------+-----------+---------+------------+------>|
| | | | (17) | |
| | | |<---------->| |
(1) - PPP LCP Negotiation
(2) - PPP EAP Identity Request
(3) - PPP EAP Identity Response
(4) - PPP EAP Request/EAP-Type=EAP-TLS (TLS Start, S bit set)
(5) - PPP EAP-Response/EAP-Type=EAP-TLS (TLS client_hello)
(6) - PPP EAP-Request/EAP-Type=EAP-TLS
(TLS server_hello...etc.; Fragment 1: L, M bits set)
(7) - PPP EAP-Response/EAP-Type=EAP (Ack)
(8) - PPP EAP-Request/EAP-Type=EAP-TLS (Fragment 2: M bit set)
(9) - PPP EAP-Response/EAP-Type=EAP-TLS (Ack)
(10) - PPP EAP-Request/EAP-Type=EAP-TLS (Fragment 3)
(11) - PPP EAP-Response/EAP-Type=EAP-TLS
(TLS certificate..etc; Fragment 1: L, M bits set)
(12) - PPP EAP-Request/EAP-Type=EAP-TLS (Ack)
(13) - PPP EAP-Response/EAP-Type=EAP-TLS (Fragment 2)
(14) - PPP EAP-Request/EAP-Type=EAP-TLS
(TLS change_cipher_spec, TLS finished)
(15) - PPP EAP-Response/EAP-Type=EAP-TLS
(16) - PPP EAP-Success - PPP Authentication Phase complete,
(17) - NCP Phase
Comments:
If Identitity Request (2) packet is lost, then AP is
responsible for the retransmission. If identity response (3)
packet is lost between AP & peer, still AP is responsible for
the retransmission. I assume that its a retransmission,
hence contents of retranmission would not change.
Questions:
If EAP request fragment (6) gets lost and who is responsible
for the retrasnmission?
If AP is responsible, how long should AP hold onto the
EAP-request fragment? (When should AP free the fragment?)
If AP is responsible, what should be the retransmission
timeout value?
If AP is responsible, What should be the maximum
retransmission value?
If AP is responsible, what should it do with the duplicate
response received? (drop it or forward it?)
Thanks
Mahesh
-----Original Message-----
Date: Thu, 9 Jun 2005 09:14:09 -0700 (PDT)
From: Bernard Aboba <aboba [at] internaut.com>
To: eap [at] frascone.com
Subject: [eap] Re: Q: EAP retransmission & fragmentation
> If both the EAP-server & EAP-authenticator share the
> responsibility of retransmission, who decides when to
> retransmit?
The EAP authenticator is responsible for retransmitting EAP packets to the
EAP peer.
Retransmission between the EAP authenticator and EAP server is handled by
AAA, *not* by EAP. In RADIUS, the NAS owns retransmission, so the EAP
server (AAA server) does not retransmit. In Diameter, the reliable
transport (TCP/SCTP) handles retransmission.
> I mean, EAP-authenticator can start a timer
> after forwarding the request packet and retransmit the
> packet again on the timeout.
It can do this in RADIUS. In Diameter, the Diameter client has a state
machine for retransmission/failover. See RFC 3539.
> So can EAP-server.
No, when the EAP server and EAP authenticator are on separate boxes, the
EAP server does not retransmit. This is handled by AAA.
-
Q: EAP retransmission & fragmentation Mahesh Kelkar, June 7 2005
-
Re: Q: EAP retransmission & fragmentation Artur Hecker, June 8 2005
- Re: Q: EAP retransmission & fragmentation Mahesh Kelkar, June 8 2005
- Re: Q: EAP retransmission & fragmentation Bernard Aboba, June 9 2005
- Re: Q: EAP retransmission & fragmentation Mahesh Kelkar, June 17 2005
-
Re: Q: EAP retransmission & fragmentation Artur Hecker, June 8 2005
Results generated by Tiger Technologies using MHonArc.