Description
DHCP Discovers, PPPoE discovery control packets, ARP packets, etc... and even RADIUS requests are possible attack vectors and just general oopsie type scenarios with overwhelming the CPU usage.
Alan @FreeRADIUS/NetworkRADIUS talks about an interesting concept with a caching based mechanism to avoid hitting backends constantly due to Access-Reject churn but I think we could extend this idea further into the edge/BNG to avoid the requests ever getting to the external authentication systems. Not only for RADIUS but DHCP/PPPoE/ARP/ICMPv6 etc... its not a control plane policing but more an explicit deny with configurable timeouts / runtime API endpoints for operations and configuration.
Therefore this issue is a temporary placeholder to bring up discussions with people until more has been looked into this area.
Use case
- Avoid control plane packet churn
- Drop packets as close to the gateway termination point as possible
- Potentially reduce CPU usage and attack vectors
Description
DHCP Discovers, PPPoE discovery control packets, ARP packets, etc... and even RADIUS requests are possible attack vectors and just general oopsie type scenarios with overwhelming the CPU usage.
Alan @FreeRADIUS/NetworkRADIUS talks about an interesting concept with a caching based mechanism to avoid hitting backends constantly due to Access-Reject churn but I think we could extend this idea further into the edge/BNG to avoid the requests ever getting to the external authentication systems. Not only for RADIUS but DHCP/PPPoE/ARP/ICMPv6 etc... its not a control plane policing but more an explicit deny with configurable timeouts / runtime API endpoints for operations and configuration.
Therefore this issue is a temporary placeholder to bring up discussions with people until more has been looked into this area.
Use case