[RADIATOR] Suggestion: Support of TLS Session Resumption based on tickets and not just session IDs

Mon Oct 19 08:49:23 CDT 2015

On 18.10.2015 11.07, Nadav Hod wrote:

> Session Resumption as implemented by Radiator seems to work based on
> Session ID (connection caching at the server).

That's correct.

> Session resumption with session IDs has a major limitation: servers are
> responsible for remembering negotiated TLS sessions for a given period
> of time. It poses scalability issues for servers with a large load of
> concurrent connections per second and for servers that want to cache
> sessions for a long time. Session ticket resumption is designed to
> address this issue.
> OpenSSL supports Session Tickets as of OpenSSL 0.9.8h. It may be worth
> looking into. I'm not sure if session synchronization of tickets/cache
> between multiple servers is necessary for a AAA server (as opposed to a
> web server), but I imagine it may also provide a big performance boost
> in large deployments.

I'd say the synchronisation requirements are the same for an AAA server too.

What is different is that TLS based EAP client does not need to make 
concurrent requests like a browser might do. Where tickets might become 
useful is an environment where the number of AAA servers changes 
dynamically. For example, the original server that did the full 
authentication may not be present anymore (scale in) or there are new 
servers (scale out) that were brought up to handle the load.

Also, does anyone know if the EAP clients support SessionTicked based 
resumption? For example, wpa_supplicant docs indicate this is available 
but disabled by default.

What comes to server side support, the recently added Gossip framework 
might be useful for distributing the required information between the 
Radiator instances, provided the considerations in the RFC are followed etc.

So the question is: is this supported by the clients and what the need 
for this would be?

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.