Skip to content

radius: Implement DM/CoA security hardening by restricting source ips #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nuclearcat wants to merge 1 commit into
base: master
Choose a base branch
from
Open

radius: Implement DM/CoA security hardening by restricting source ips #285

nuclearcat wants to merge 1 commit into from

Conversation

@nuclearcat
Copy link
Member

@nuclearcat nuclearcat commented Dec 21, 2025

No description provided.

@sever-sever sever-sever requested a review from Copilot December 21, 2025 12:10
Copilot AI reviewed Dec 21, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements security hardening for RADIUS DM/CoA (Dynamic Authorization Extension / Change of Authorization) by restricting which source IP addresses are allowed to send DM/CoA requests. This addresses a security concern where any host knowing the shared secret could send DM/CoA requests to disconnect or modify sessions.

Key changes:

  • Adds dae-allowed configuration option to specify allowed source IPs/CIDR ranges
  • Implements source IP validation in the DM/CoA packet handler
  • Provides deprecation warnings when DAE is configured without source restrictions

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
accel-pppd/radius/radius_p.h Adds function declaration for rad_dae_src_allowed and removes trailing blank line
accel-pppd/radius/radius.c Implements IP range parsing, storage, and validation logic for DAE source restrictions
accel-pppd/radius/dm_coa.c Adds source IP validation check before processing DM/CoA requests
accel-pppd/accel-ppp.conf.5 Documents the new dae-allowed configuration option
accel-pppd/accel-ppp.conf Adds commented example of dae-allowed configuration
README Adds note about using dae-allowed for DM/CoA deployments

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@nuclearcat
radius: Implement DM/CoA security hardening by restricting source ip …
2550fe6 
…addresses

Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nuclearcat