eap Mailing List: Re: Ordered delivery of EAP messages

[Glen Zorn (gwz) (gwz]

Alan DeKok <mailto:aland [at] deployingradius.com> allegedly scribbled on
Wednesday, March 07, 2007 5:45 AM:

> Alper Yegin wrote:
>> RFC 2865 says:
>> 
>>       The RADIUS server can detect a duplicate request if
>>       it has the same client source IP address and source UDP port
>>       and Identifier within a short span of time.
>> 
>> This, to me, implies duplicate detection on the server side does not
>> rely on orderly delivery. Keeping the history for "a short span of
>> time" allows duplicate detection irrespective of the order the
>> requests come in. 
> 
>   Yes.  All well-behaved RADIUS servers do this.  RADIUS servers that
> *don't* do this can led to believe that a user has logged in twice,
> when the second attempt was just a duplicate. 
> 
>> As for the responses... Assuming the RADIUS client transmitted a
>> request twice (first one timed out), if it receives one of the
>> responses, would it still accept the second (duplicate) response if
>> it arrives as well? 
> 
>   What do you mean "accept"?  The client has already had a response
> to the first transmission.  The only safe thing to do here is to
> silently discard the response to the re-transmitted request. 
> Ideally, this case SHOULD be separated from the case of unsolicited
> or spoofed "replies" by the client also caching requests for a period
> of time.     
> 
>> Wouldn't
>> the RADIUS client just drop the second response because there is no
>> outstanding request to match anymore?
> 
>   That is the safest thing to do, yes.

All of these things make total sense but AFAICT none are actually
mandated by RFC 2865. 

> 
>   Alan DeKok.