FW: Comments on the new Xauth draft
Stephane Beaulieu <sbeaulieu@TimeStep.com> Wed, 15 September 1999 20:44 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.proper.com (8.9.3/8.9.3) with ESMTP id NAA02712; Wed, 15 Sep 1999 13:44:52 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA08572 Wed, 15 Sep 1999 14:42:40 -0400 (EDT)
Message-Id: <319A1C5F94C8D11192DE00805FBBADDFDB66A5@exchange>
From: Stephane Beaulieu <sbeaulieu@TimeStep.com>
To: ipsec <ipsec@lists.tislabs.com>
Subject: FW: Comments on the new Xauth draft
Date: Wed, 15 Sep 1999 14:46:45 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2232.9)
Content-Type: text/plain; charset="x-user-defined"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by lists.tislabs.com id OAA08569
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Sorry, forgot to cc ipsec list on the reply. -----Original Message----- From: Stephane Beaulieu Sent: Wednesday, September 15, 1999 12:08 PM To: 'Rakefet Zadik' Subject: RE: Comments on the new Xauth draft > Hello, > > After reading the new draft, we have a few unclear points: > > "All ISAKMP-Config messages in an extended authentication > transaction MUST contain the same ISAKMP-Config transaction > identifier. The Message ID in the ISAKMP header follows the > rules defined by the ISAKMP-Config protocol." > > > As we understood from the thread held in ipsra, there was a > trend for making xauth its own exchange (separating it from > cfg). This draft does not reflect that understanding, furthermore > this draft seams to force xauth on cfg. Yes, this was one of the proposals (proposal#2) that Joern had suggested in his post with subject named "XAUTH is broken", posted on Jul 22 1999. In the same thread, I had mentioned that I was in favor of this. However, I received many private emails from implementors who felt that Joern's proposal#1 from that same email was a better solution (including one email posted to the list by Tero). To that effect, I sent out another post named "the next rev of XAUTH" on August 3, 1999, in which I solicited input from the list on which of the two proposals we should proceed with. Sadly, I received no emails on the list itself. However, I did receive 3 private emails supporting Joern's first proposal (as well as Tero's earlier posting to the list). > > The message ID is used as a session identifier through out the > isakmp protocols. > Using the identifier as such causes inconsistency and seems > artificial. > > Bonding two cfg transactions for an xauth session requires a > state machine for the receiver, which is a contradiction to the > cfg protocol. Now the receiver will first have to verify according > to the message-id, that the message received is > not a reply to a cfg it sent. After the decryption, another > verification according to the identifier will be needed. > Your ISAKMP state machine should handle the decryption process based on the Message ID. After that the isakmp-cfg state machine extracts the transaction identifier and the message type to determine whether this is a response or a new exchange. > > "If the IPSec host does not have support for the authentication > method requested by the edge device, then it would send back > a reply with empty attributes, thus failing the authentication > but completing the transaction. " - > > <draft-ietf-ipsec-isakmp-xauth-05> > > > > > "Zero length attribute values are usually sent > in a Request and MUST NOT be sent in a Response." > - > <draft-ietf-ipsec-isakmp-mode-cfg-05> > There seems to be a contradiction. > Good point. Thanks. > > > "Extended Authentication MAY be initiated by the edge device > at any time after the initial authentication exchange." - This is > de facto changing the life duration of the main mode after the > main mode is finished, why not initiate a new main mode > instead? > Why go through the process of re-doing MM if all you want to do is refresh user authentication? The reason for adding this is that many authentication servers allow you to give access to a user for a set period of time. If the user wishes to extend that time, then he needs to re-authenticate himself. Thanks for your input, Stephane. > > Regards > > Keren & Rakefet > > >
- Comments on the new Xauth draft Rakefet Zadik
- FW: Comments on the new Xauth draft Stephane Beaulieu
- Re: FW: Comments on the new Xauth draft Scott G. Kelly