RE: Issues & Fixes: Ordered delivery of EAP messages

["Glen Zorn \(gwz\)" <gwz@cisco.com>]

Bernard Aboba <mailto:bernard_aboba@hotmail.com> allegedly scribbled on
Wednesday, March 07, 2007 12:04 AM:

>> Ordered delivery & duplicate rejection aren't the same thing.
> 
> In general, that's true.  But if you have an ACK/NAK protocol that
> only allows a single packet in flight other than retransmissions,
> doesn't effective duplicate rejection imply ordered delivery? 

Perhaps.  Unfortunately, RADIUS does not require duplicate detection.
This is what RFC 2865 says about duplicate detection: "The RADIUS server
can detect a duplicate request if it has the same client source IP
address and source UDP port and Identifier within a short span of time."
That's it.  I don't see the word "MUST" (or even "SHOULD") in that
sentence.  In fact, RFC 3748 is actually a bit stronger on the topic
(Section 4.1): "The peer is responsible for detecting and handling
duplicate Request messages before processing them in any way, including
passing them on to an outside party.  The authenticator is also
responsible for discarding Response messages with a non-matching
Identifier value before acting on them in any way, including passing
them on to the backend authentication server for verification." 

...

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>