DHCP MTU can still be an issue. - EAP minimum MTU is 1020 octets.
- Some EAP methods (e.g., EAP-AKA) may not work with a lower layer where the MTU is less than EAP minimum MTU. It seems that your tests are based on an EAP method that supports fragmentation? Yoshihiro Ohba On Thu, Oct 25, 2007 at 09:33:45AM +0200, Alan DeKok wrote: > Richard Pruss wrote: > > The fragmentation size problem may be addressed by the relay agent > > having the role of EAP authenticator, as it splits the EAP traffic into > > RADIUS out of DHCP, and DHCP messages should be normally sized to the > > server. > > RADIUS packets are maximum 4k in size, so RADIUS wouldn't be the > limiting factor. What is the limiting factor is EAPoL, where packets > can't be fragmented. Most RADIUS servers already look for a MTU in the > Access-Request, and limit the size of EAP responses on their end, so > that the EAP data will fit into one Ethernet packet. > > My tests on various implementations show that RADIUS servers and > 802.1x supplicants appear to work with MTUs set very low, such as 100 > octets. The result is a LOT more RADIUS traffic than normal, but the > authentication process succeeds. > > So limiting the DHCP packet sizes to 500 octets wshouldn't affect the > operation EAP. Similar issues apply to PANA, where there is IP and UDP > overhead on top of what would otherwise be EAPoL. > > Alan DeKok. > > > _______________________________________________ > Int-area mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/int-area > _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
