loop detection, current state

[Stefan Winter <stefan.winter@xxxxxxxxxx>]

Hello,

some time has passed after the last TF-Mobility meeting. Meanwhile, I've 
been negotiating what can be done and would like to present the options 
so far.

- check incoming IP != outgoing IP. This is similar to what we do in 
RADIUS right now. It only detects a loop if a tight sub-loop (direct 
bounces) is present within the loop. Can not distinguish between 
multiple instances on one IP address. This is not doable in a completely 
dynamic setup right now - there were some suggestions from OSC how to do 
it in AuthBy DNSROAM or ServerRADSEC clauses, but only if one end of the 
connection has a list of IPs - which is not the case in a dynamic setup. 
Implementing this should be rather easy though.

- check cert of incoming != cert of outgoing. Same restriction to tight 
loops. Can distinguish between multiple instances, assuming that 
different instances use different certificates. Is not implemented yet, 
but might be easy to do.

- introduce attribute with a TTL and count down, if 0 discard. Can 
detect all kinds of loops. Attribute definition is easy, we have a 
eduroam-Loop-TTL attribute assigned (within the Dante PEN). Requires 
arithmetics in proxy hops to decrement attribute. That may be a bit 
clumsy to implement, and I'm not sure if we get support in mainstream 
servers.

- count number of Proxy-State attributes, if too high, discard. Proposed 
by Alan DeKok. Can detect all kinds of loops. Doesn't need any new 
attribute. Still needs arithmetics in servers. Is not quaranteed to work 
in all environments. That is because: 1) a proxy may choose not to add 
its own Proxy-State (thereby not incrementing the count); 2) a proxy may 
take all Proxy-State attributes out of the packet, store them statefully 
and re-inject them when the packet comes back. According to Alan these 2 
things are not as discouraging as they sound: *most* servers add 
Proxy-State, and *most* leave them untouched.

As you can see from above, none of the options is all-roses. We might go 
for a combination of them. Let's see.

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473