Andriy Gapon <[EMAIL PROTECTED]> wrote: > I think that it would be nice if list of such situations could be > configurable and extensible.
No. Dropping the packet is a security decision and there is no reason to make it configurable. > For example, there are some RADIUS-related solutions/drafts out > there that require requests being silently dropped if they don't > have Message-Authenticator or have incorrect value of > Message-Authenticator. Neither can be done now with FreeRADIUS > without modifying its source code. Then we will modify the source code to add those cases, like we did when EAP support was added. > 1. have a configurable list of attributes that require > Message-Authenticator (so that I could put Message-Digest there, for > example, in addition to EAP-Message) Then people will edit the list to break the server. No. > 2. have a configuration knob that could tell "drop all incoming messages > without Message-Authenticator" That could be done. > 3. do Message-Authenticator value validation in rad_recv() (this could > be configurable too, defaulting to current behavior) No. It's a perfomance issue. > Even more flexible would be a capability to silently drop packet in any > (auth) module, but I think that it would require a lot of work. BTW, > there is a bug report in FreeRADIUS bugzilla related to this (it's not > mine): > http://bugs.freeradius.org/show_bug.cgi?id=313 It's a bad idea, it violates the RFC's, and it makes your network more unstable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html