Dynamic EAP fragment_size for low MTU

Jouni Malinen j at w1.fi
Wed Dec 6 03:14:29 PST 2023

On Wed, Dec 06, 2023 at 10:53:32AM +0000, Samuel Melrose wrote:
> If I can manage to get a patch together, what is everyone's feelings
> about being able to dynamically tune the EAP fragment_size setting,
> based on hints from the server?

Which fragment_size are you talking about here? The one in hostapd or
the one in wpa_supplicant? And if the latter, how would a hint from the
server make it to wpa_supplicant?

> On the server side, we've got FreeRADIUS and we've been able to
> configure it with a low EAP fragment_size value of 1012, however, it
> isn't possible to configure this on the clients, as they are all
> running Chrome OS (so using the Linux version of
> wpa_supplicant/hostapd, but with a read only rootfs where it's
> impossible to tune the configuration file) for both wireless
> WPA2-Enterprise & 802.1X.

Have you tested this with any other clients? Are there some client
implementations that would actually dynamically change EAP-TLS
fragmentation based on failures?

> A lot of people mention how impractical it is to be required to tune
> the fragment_size value in the configuration of each client, rather
> than having it pushed centrally.
> My thoughts are accepting Framed-MTU from the server as part of the
> Access-Challenge response, then tuning the EAP fragement_size based on
> that (taking into account the additional overheads): would you be
> willing to accept such a change?

I'm not sure I can follow the design here.. Access-Challenge goes from
the RADIUS server to the AP/RADIUS client. It does not go to the
Supplicant/client/wpa_supplicant, so that use of Framed-MTU attribute on
the client feels strange.

If this network deployment scenario is such that the Supplicant/EAP
client needs to somehow probe for the maximum EAP message length, things
are quite inconvenient since there is not really any good way for doing
that.. If the EAP exchange happens to have a large message from the
server first (and EAP-TLS in many cases does), an EAP client might try
to figure out that there was a reason for the server to use surprisingly
small EAP message for fragmentation purposes and adopt to using a
similar fragmentation threshold. This might need to be done separately
for each EAP method, though.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list