Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » public » how_to_deal_with_fragmentation_of_eap_packets
public:how_to_deal_with_fragmentation_of_eap_packets

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Last revision Both sides next revision
public:how_to_deal_with_fragmentation_of_eap_packets [2022/12/06 10:32]
admin [Cause] 		public:how_to_deal_with_fragmentation_of_eap_packets [2022/12/06 10:46]
admin
Line 19: Line 19:
  
 Doing this means that during an authentication the minimum (one server cert and one client cert) are passed around rather than a number of client, server and intermediates. However, the number of certificates, and thus size of packet, is quite dependent on the PKI. A private CA can have a very short chain, whilst a public CA could have a long one. Doing this means that during an authentication the minimum (one server cert and one client cert) are passed around rather than a number of client, server and intermediates. However, the number of certificates, and thus size of packet, is quite dependent on the PKI. A private CA can have a very short chain, whilst a public CA could have a long one.
 +
 +The key length used to encrypt the certificates can impact the certificate sizes. So using 4096 results in a file bigger than if using 2048. There are arguments for and against using 4096 over 2048. If there are certificate size issues then you're not compromising security by running 2048 rather than 4096 and the smaller key lengths have much less impact on CPU.
  
 ======Solutions====== ======Solutions======
Line 26: Line 28:
   * Disable packet fragmentation checks/blocks on the firewall (just for the NRPS and any other known RADIUS servers)   * Disable packet fragmentation checks/blocks on the firewall (just for the NRPS and any other known RADIUS servers)
   * Ensure only the minimum number of certs are sent in the auth and that as much of the chain as possible is installed on the client and server.   * Ensure only the minimum number of certs are sent in the auth and that as much of the chain as possible is installed on the client and server.
 +  * Change from a public CA to a private CA and just have a Root and client/server certificate rather than multiple intermediates
 +  * Use 2048 rather than 4096 for the key length
   * Set Framed-MTU to 1100   * Set Framed-MTU to 1100
  
 The last option is somewhat of a last resort because it's not universally respected by RADIUS servers. However, what it does do is to pass a hint to a RADIUS server to request that the RADIUS server use a maximum of 1100 bytes for the RADIUS packet. This would mean that, with the additional headers provided by the TCP stack that the packets should never be fragmented.  The last option is somewhat of a last resort because it's not universally respected by RADIUS servers. However, what it does do is to pass a hint to a RADIUS server to request that the RADIUS server use a maximum of 1100 bytes for the RADIUS packet. This would mean that, with the additional headers provided by the TCP stack that the packets should never be fragmented. 
  
-The caveat is, as stated, that different RADIUS server react differently to seeing Framed-MTU. It certainly can't be relied on at the solution. +The caveat is, as stated, that different RADIUS servers react differently to seeing Framed-MTU and all equipment (routers, servers, firewalls) in the path would have to respect it. It certainly can't be relied on as the solution.
- +
-<insert info about RADIUS server support for Framed-MTU>+
  
public/how_to_deal_with_fragmentation_of_eap_packets.txt · Last modified: 2022/12/06 11:02 by admin

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki