Re: XAUTH is broken
Joern Sierwald <joern.sierwald@datafellows.com> Thu, 22 July 1999 19:09 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id MAA07742; Thu, 22 Jul 1999 12:09:42 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA28274 Thu, 22 Jul 1999 13:47:38 -0400 (EDT)
Message-Id: <3.0.5.32.19990722204714.00bbab90@smtp.datafellows.com>
X-Sender: joern@smtp.datafellows.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 22 Jul 1999 20:47:14 +0300
To: ipsec@lists.tislabs.com
From: Joern Sierwald <joern.sierwald@datafellows.com>
Subject: Re: XAUTH is broken
In-Reply-To: <3797438A.98D131E2@raptor.com>
References: <01E1D01C12D7D211AFC70090273D20B1B8F8E5@sothmxs06.entrust.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by lists.tislabs.com id NAA28271
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
At 12:15 22.7.1999 -0400, you wrote: >Is it broken or not? >I think we have to come to an agreement very soon if we want people to >implement xauth and get some interoperability testing in the coming >bakeoffs. > >In previous messages Greg carter has brought up some good points regarding >the isakmp header message id. Stephane Beaulieu, in a previous message, >proposed a change in the draft that fixes the problem. >(section 3: All ISAKMP_Config messages in an extended auth transaction > will contain same message id...). > Stephane did not propose a change, he simply clarified the section. Again, here is the problem. draft-ietf-ipsec-isakmp-mode-cfg-04.txt, chapter 3.1.1: As noted, the message ID in the ISAKMP header-- as used in the prf computation-- is unique to this exchange and MUST NOT be the same as the message ID of another exchange. And "this exchange" is a config-exchange, which has two packets. Always. As Grep has pointed out, the cfg-mode draft and the xauth draft contradict each other. IMHO the cfg-mode draft is fine. The xauth draft is wrong, it wants the same message id for several cfg-mode exchanges. Whats the problem with each cfg-mode having a different id? tephane and Tim try to change the specs (the cfg-mode) so that they don't have to change their implementation, but I think we should simply delete the "All ISAKMP-Config messages in an extended authentication transaction MUST contain the same ISAKMP-Config message ID." part from the xauth draft. --- Jörn Sierwald
- XAUTH is broken Joern Sierwald
- RE: XAUTH is broken Tim Jenkins
- RE: XAUTH is broken Greg Carter
- RE: XAUTH is broken Tim Jenkins
- Re: XAUTH is broken Ioannis Bonias
- Re: XAUTH is broken Joern Sierwald
- RE: XAUTH is broken Greg Carter
- RE: XAUTH is broken Tim Jenkins
- RE: XAUTH is broken Joern Sierwald
- RE: XAUTH is broken Valery Smyslov
- RE: XAUTH is broken Tim Jenkins
- RE: XAUTH is broken Tim Jenkins
- RE: XAUTH is broken Joern Sierwald
- RE: XAUTH is broken Bassett, John Robert
- RE: XAUTH is broken Stephane Beaulieu
- Re: XAUTH is broken Dan Harkins
- Re: XAUTH is broken Valery Smyslov
- Re: XAUTH is broken Valery Smyslov
- Re: XAUTH is broken Joern Sierwald
- Re: XAUTH is broken Dan Harkins
- Re: XAUTH is broken Paul Koning
- RE: XAUTH is broken Stephane Beaulieu
- Re: XAUTH is broken Scott G. Kelly
- Re: XAUTH is broken Dan Harkins
- Re: XAUTH is broken Paul Hoffman / VPNC
- RE: XAUTH is broken Valery Smyslov
- RE: XAUTH is broken Stephane Beaulieu
- RE: XAUTH is broken Tim Jenkins
- RE: XAUTH is broken Greg Carter
- RE: XAUTH is broken Tero Kivinen