Is: Split Horizon Was: (RADIATOR) PreProxyHook

Rok Papez rok.papez at arnes.si
Wed Dec 22 07:14:05 CST 2004 

Hi!

Dne sreda 08 december 2004 13:05 je Rok Papez napisal(a):
> Hello Hugh and others :).
> 
> Dne sobota 20 november 2004 00:44 ste napisali:
> 
> > Normally the proxy target is defined by a Realm or Handler clause and 
> > hence a PreProcessingHook or PreAuthHook makes sense in that context.
> 
> Actualy you need access to the AuthRADIUS object so you can
> check the Hosts variables.
> 
> > 
> > Your previous mail does not mention how you are selecting the proxy 
> > target?
> 
> Like this:
> 
> # ----------------------
> # some.org.tld
> # ----------------------
> <Client 10.1.1.1> 
>         Identifier      some.org.tld
>         Secret         secret
> </Client>
> 
> <Handler Realm=/^some\.org\.tld$|^.*\.some\.org\.tld$/>
>         <AuthBy RADIUS>
>                 Host     10.1.1.1
>                 Secret   secret
>                 AuthPort 1812
>                 AcctPort 1813
>                 OutPort  1814
>                 StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID, NAS-IP-Address
>                 SplitHorizon
>         </AuthBy>
> </Handler>
> 
> ======================================================
> I've implemented split horizon so if proxied request is sent to the
> same host group as it came from, then request is rejected. The
> code below unfortunately won't work for a host with multiple
> RADIUS servers.
> 
> In this patch is the most elegant way I managed to implement it.
> Feel free to review/use it.

If anyone is interested, here is a more mature version:

--- radiator/Radius/AuthRADIUS.pm.orig  Mon Dec  6 14:49:09 2004
+++ radiator/Radius/AuthRADIUS.pm.tmp   Thu Dec  9 12:53:04 2004
@@ -43,6 +43,7 @@
      'UseExtendedIds'             => 'flag',
      'ClearTextTunnelPassword'    => 'flag',
      'AllowInRequest'             => 'string',
+     'SplitHorizon'               => 'flag',
      );
 
 # This is a hash of requests for which we are awaiting replies
@@ -147,6 +148,27 @@
     my ($self, $p, $dummy, $extra_checks) = @_;
 
     $self->log($main::LOG_DEBUG, "Handling with Radius::AuthRADIUS", $p);
+
+    # Split Horizon check
+    # Check if we received from one of the servers we are sending to.  Unfortunately
+    # becouse OutPort is not set, we can't include it in a check.
+    if($self->{SplitHorizon}) {
+        my $hostTo;
+       my $hostToAddx;
+       my $hostToAddxStr;
+        my $hostFromAddxStr = Radius::Util::inet_ntop($p->{RecvFromAddress});
+
+       foreach $hostTo (@{$self->{Hosts}}) {
+           foreach $hostToAddx (@{$hostTo->{Address}}) {
+               $hostToAddxStr = Radius::Util::inet_ntop($hostToAddx);
+               if ( $hostToAddxStr eq $hostFromAddxStr ) {
+                   $self->log($main::LOG_WARNING, "SplitHorizon - Radius loop detected. Req from: " .
+                                                  "$hostFromAddxStr loops back.");
+                   return ($main::REJECT, "SplitHorizon - Radius loop detected");
+               }
+            }
+       }
+    }
 
     # Now we might fork before processing the request
     # Should only do this for "slow" authentication methods


-- 
lep pozdrav,
Rok Papež.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list