'Re: fragmented ipv4[udp] ignored by server.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: fragmented ipv4[udp] ignored by server.
From:       Mikhael Lialin <soultenq () gmail ! com>
Date:       2023-03-19 19:51:44
Message-ID: 92667b42-ade8-cbce-ceaf-ccfd448e6ed7 () gmail ! com
[Download RAW message or body]

Hello And good day.

One small update.

I set up the same freeradius configuration with official freeradius 
docker image and my radius eap configuration.

Used vmd as hyper-visor and alpine linux to run docker. And pf to 
redirect/nat traffic to freeradius.

And it worked!

Also previously same configuration of pf and freeradius worked with 
Freebsd to get eap tls authentication work.

May be it's some default openbsd configuration or pf rules.

Thank you.

On 3/6/23 14:20, Mikhael Lialin wrote:
>
> Hello Tom.
>
> It's a local setup. So radius server and eapol_client are located on 
> the near ports of cisco sg350 switch. And there is no rules on this 
> switch present regarding fragmented packets. Anyway it's capable of 
> rspan, and it's possible to mirror traffic from one port to another 
> for analyse. to be sure where those packet's loss. However this 
> requires one more pc in this scheme.
>
> In freeradius documentation 
> (in/usr/local/share/examples/freeradius/mods-available/eap) mentioned 
> that server and client certificates should have 509 extensions for 
> server and client authentication. And they have.
>
> Thank you.
>
> On 3/6/23 02:27, Tom Smyth wrote:
>> Hi Mikhael,
>> Moving this on to Misc List as it is more approiaate for support type 
>> requests,
>>
>> It may not be OpenbSD,  that is ignoring the fragments, depending on 
>> your setup
>> an intermediate device ( NAT router etc) could be proccessing the IP 
>> fragments incorrectly and or dropping them...
>> IP fragments are a pain as they dont really match the protocol of the 
>> original packet  and  have all sorts of issues when traversing 
>> multipath (hashed) multipath  routes between the source and destination..
>> cloudflare have a really good article on this
>> https://blog.cloudflare.com/ip-fragmentation-is-broken/
>>
>> Hope this is of help...
>>
>>
>> On Sun, 5 Mar 2023 at 22:04, Mikhael Lialin <soultenq@gmail.com> wrote:
>>
>>     Hi.
>>
>>     I'm successfully configured eap tls with freeradius.
>>
>>     However with default value for fragment_size in wpa_supplicant.conf
>>     which equals 1398 - packets get fragmented and seems ignored by
>>     the server.
>>
>>     Both systems are openbsd 7.2
>>
>>     here is output from thsark:
>>
>>     --target radius--
>>     9 124.886123   10.10.2.10 ? 10.10.2.1    RADIUS 188
>>     Access-Request id=0
>>     10 124.894967    10.10.2.1 ? 10.10.2.10   RADIUS 106
>>     Access-Challenge id=0
>>     11 124.914163   10.10.2.10 ? 10.10.2.1    RADIUS 373
>>     Access-Request id=1
>>     12 125.010446    10.10.2.1 ? 10.10.2.10   RADIUS 1320
>>     Access-Challenge id=1
>>     13 125.014979   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=2
>>     14 125.032537    10.10.2.1 ? 10.10.2.10   RADIUS 1320
>>     Access-Challenge id=2
>>     15 125.034214   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=3
>>     16 125.045650    10.10.2.1 ? 10.10.2.10   RADIUS 300
>>     Access-Challenge id=3
>>
>>
>>     --source eapol_test with wpa_supplicant.conf---
>>
>>     1   0.000000   10.10.2.10 ? 10.10.2.1    RADIUS 188
>>     Access-Request id=0
>>     2   0.011025    10.10.2.1 ? 10.10.2.10   RADIUS 106
>>     Access-Challenge id=0
>>     3   0.027023   10.10.2.10 ? 10.10.2.1    RADIUS 373
>>     Access-Request id=1
>>     4   0.126651    10.10.2.1 ? 10.10.2.10   RADIUS 1320
>>     Access-Challenge id=1
>>     5   0.127440   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=2
>>     6   0.148742    10.10.2.1 ? 10.10.2.10   RADIUS 1320
>>     Access-Challenge id=2
>>     7   0.149411   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=3
>>     8   0.161846    10.10.2.1 ? 10.10.2.10   RADIUS 300
>>     Access-Challenge id=3
>>     9   0.179447   10.10.2.10 ? 10.10.2.1    IPv4 1514 Fragmented IP
>>     protocol (proto=UDP 17, off=0, ID=b444)
>>     10   3.193244   10.10.2.10 ? 10.10.2.1    IPv4 1514 Fragmented IP
>>     protocol (proto=UDP 17, off=0, ID=b576)
>>     11   9.213196   10.10.2.10 ? 10.10.2.1    IPv4 1514 Fragmented IP
>>     protocol (proto=UDP 17, off=0, ID=ef21)
>>     12  21.233280   10.10.2.10 ? 10.10.2.1    IPv4 1514 Fragmented IP
>>     protocol (proto=UDP 17, off=0, ID=00d0)
>>
>>     eapol_test fails
>>
>>     setting fragment_size = 1212 in wpa_supplicant.conf and getting
>>     success.
>>
>>     output from tshark:
>>
>>     --target radius--
>>     1   0.000000   10.10.2.10 ? 10.10.2.1    RADIUS 188
>>     Access-Request id=0
>>     2   0.006613    10.10.2.1 ? 10.10.2.10   RADIUS 106
>>     Access-Challenge id=0
>>     3   0.024538   10.10.2.10 ? 10.10.2.1    RADIUS 373
>>     Access-Request id=1
>>     4   0.104617    10.10.2.1 ? 10.10.2.10   RADIUS 1320
>>     Access-Challenge id=1
>>     5   0.106355   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=2
>>     6   0.114877    10.10.2.1 ? 10.10.2.10   RADIUS 1320
>>     Access-Challenge id=2
>>     7   0.118679   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=3
>>     8   0.128309    10.10.2.1 ? 10.10.2.10   RADIUS 300
>>     Access-Challenge id=3
>>     9   0.145442   10.10.2.10 ? 10.10.2.1    RADIUS 1415
>>     Access-Request id=4
>>     10   0.160230    10.10.2.1 ? 10.10.2.10   RADIUS 106
>>     Access-Challenge id=4
>>     11   0.161621   10.10.2.10 ? 10.10.2.1    RADIUS 1372
>>     Access-Request id=5
>>     12   0.262102    10.10.2.1 ? 10.10.2.10   RADIUS 161
>>     Access-Challenge id=5
>>     13   0.263753   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=6
>>     14   0.281330    10.10.2.1 ? 10.10.2.10   RADIUS 226
>>     Access-Accept id=6
>>
>>     --source eapol_test with wpa_supplicant.conf---
>>
>>          1   0.000000   10.10.2.10 ? 10.10.2.1    RADIUS 188
>>     Access-Request id=0
>>          2   0.010060    10.10.2.1 ? 10.10.2.10   RADIUS 106
>>     Access-Challenge id=0
>>          3   0.023662   10.10.2.10 ? 10.10.2.1    RADIUS 373
>>     Access-Request id=1
>>          4   0.108072    10.10.2.1 ? 10.10.2.10   RADIUS 1320
>>     Access-Challenge id=1
>>          5   0.108734   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=2
>>          6   0.118632    10.10.2.1 ? 10.10.2.10   RADIUS 1320
>>     Access-Challenge id=2
>>          7   0.119341   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=3
>>          8   0.132026    10.10.2.1 ? 10.10.2.10   RADIUS 300
>>     Access-Challenge id=3
>>          9   0.147236   10.10.2.10 ? 10.10.2.1    RADIUS 1415
>>     Access-Request
>>     id=4
>>         10   0.163300    10.10.2.1 ? 10.10.2.10   RADIUS 106
>>     Access-Challenge id=4
>>         11   0.164158   10.10.2.10 ? 10.10.2.1    RADIUS 1372
>>     Access-Request
>>     id=5
>>         12   0.265514    10.10.2.1 ? 10.10.2.10   RADIUS 161
>>     Access-Challenge id=5
>>         13   0.266328   10.10.2.10 ? 10.10.2.1    RADIUS 191
>>     Access-Request id=6
>>         14   0.284607    10.10.2.1 ? 10.10.2.10   RADIUS 226
>>     Access-Accept id=6
>>
>>     Question: How to avoid altering fragment_size to get this working ?
>>
>>     Some clients could not be set so easily like phones.
>>
>>     Thank you.
>>
>>     Mikhael.
>>
>>
>>
>> -- 
>> Kindest regards,
>> Tom Smyth.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic