Re: AW: [ADs] Re: RFC 5090 -- draft-ietf-radext-rfc4590bis -- Re: Problem with fixes to Appendix A
<Bernard_Aboba@hotmail.com> Tue, 29 January 2008 17:55 UTC
Return-path: <owner-radiusext@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JJug7-0001uO-1V for radext-archive-IeZ9sae2@lists.ietf.org; Tue, 29 Jan 2008 12:55:23 -0500
Received: from psg.com ([2001:418:1::62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JJug5-0006kx-Iu for radext-archive-IeZ9sae2@lists.ietf.org; Tue, 29 Jan 2008 12:55:23 -0500
Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1JJub8-0005TN-Gm for radiusext-data@psg.com; Tue, 29 Jan 2008 17:50:14 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,RDNS_NONE, STOX_REPLY_TYPE autolearn=no version=3.2.3
Received: from [65.54.246.106] (helo=bay0-omc1-s34.bay0.hotmail.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from <bernard_aboba@hotmail.com>) id 1JJub4-0005Sn-Sa for radiusext@ops.ietf.org; Tue, 29 Jan 2008 17:50:12 +0000
Received: from BAY117-DS1 ([207.46.8.28]) by bay0-omc1-s34.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 29 Jan 2008 09:50:10 -0800
X-Originating-IP: [66.134.78.52]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BAY117-DS16085FA146F730D8FABCB93350@phx.gbl>
From: Bernard_Aboba@hotmail.com
In-Reply-To: <D83105B2AC38794CB78ADA2959F2C44F20B294@S4DE9JSAACY.ost.t-com.de>
To: "Beck01, Wolfgang" <BeckW@t-systems.com>, rfc-editor@rfc-editor.org, Baruch.Sterman@Kayote.com, dromasca@avaya.com, rbonica@juniper.net, radiusext@ops.ietf.org
Cc: dschwartz@xconnect.net, mikem@open.com.au, david.schwartz@xconnect.net, dscreat@dscreat.com, dwilli@cisco.com, dromasca@avaya.com, rbonica@juniper.net, d.b.nelson@comcast.net
References: <D83105B2AC38794CB78ADA2959F2C44F20B294@S4DE9JSAACY.ost.t-com.de>
X-Unsent: 1
Subject: Re: AW: [ADs] Re: RFC 5090 -- draft-ietf-radext-rfc4590bis -- Re: Problem with fixes to Appendix A
Date: Tue, 29 Jan 2008 09:50:46 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 12.0.1606
X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
X-OriginalArrivalTime: 29 Jan 2008 17:50:10.0178 (UTC) FILETIME=[64475E20:01C8629F]
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk
X-Spam-Score: 1.7 (+)
X-Scan-Signature: 8da0cbf8c1eef8eab03772f2044efec0
Can the authors huddle and figure this out? We really do want to get the test vectors right before publishing RFC 5090. -------------------------------------------------- From: "Beck01, Wolfgang" <BeckW@t-systems.com> Sent: Tuesday, January 29, 2008 6:12 AM To: <rfc-editor@rfc-editor.org>; <Baruch.Sterman@Kayote.com>; <dromasca@avaya.com>; <rbonica@juniper.net> Cc: <dschwartz@xconnect.net>; <bernard_aboba@hotmail.com>; <mikem@open.com.au>; <david.schwartz@xconnect.net>; <dscreat@dscreat.com>; <dwilli@cisco.com>; <dromasca@avaya.com>; <rbonica@juniper.net>; <d.b.nelson@comcast.net> Subject: AW: [ADs] Re: RFC 5090 -- draft-ietf-radext-rfc4590bis -- Re: Problem with fixes to Appendix A > I hate to say it, but there are still bugs in the examples. > > In the Access-Request with id 0x7d, I calculate a Digest-Response of > 958ce2c45980c79bd91c3044f32be6da > and a Message-Authenticator of > 92A87E1C88BD9573958327C656094634 > > For the corresponding Access-Accept, I get an Authenticator of > F237371FFDBFE48CBD9F63D25086B004 > a Digest-Response-Auth of > 1e2e26caa5611b083e201778485fb394 > and a Message Authenticator of > 51C3078093B3C5C15FACF27A27E7BE0A > > In the Access-Request with id 0x7e, the diff version states a packet > length of 72. Summing up > 20 Byte RADIUS header > 6 Byte NAS-IP > 6 Byte NAS-Port > 5 Byte Digest-Method GET > 13 Byte Digest-URI /index.html > 18 Byte Message-Authenticator > --- > 68 Bytes, not 72. > > My script comes up with a Message-Authenticator of > 690BFC95E88DF3B185F15CD78E469992 > > For the Access-Request with Id 0x7f, I calculate a > Digest-Response of > 5af2aae88d01277b70c03865ced2abef > and a Message-Authenticator of > 904890FD52DA0DEDF400B8CABD7A8642 > > For the Accesss-Accept of Id 0x7f, I get an Authenticator of > EB50D310D1649A0C3FCEBC2623422FCA > a Digest-Response-Auth of > 0414c25df396d125d79380982de80516 > and a Message-Authenticator of > 08EBFB290D55EEA4BF8FB48405A16E55 > > For the packets with id 0x7c, I get the same values as in the rfc doc. > >> -----Ursprüngliche Nachricht----- >> Von: RFC Editor [mailto:rfc-editor@rfc-editor.org] >> Gesendet: Dienstag, 29. Januar 2008 02:38 >> An: Baruch Sterman; Dan Romascanu; Ronald Bonica >> Cc: David Schwartz; Bernard Aboba; Beck, Wolfgang; >> mikem@open.com.au; David Schwartz; dscreat@dscreat.com; >> dwilli@cisco.com; Dan Romascanu; Ronald Bonica; >> d.b.nelson@comcast.net; RFC Editor >> Betreff: [ADs] Re: RFC 5090 -- draft-ietf-radext-rfc4590bis >> -- Re: Problem with fixes to Appendix A >> >> >> Greetings Dan and Ron, >> >> Please review the changes in the Appendix below and let us >> know if you approve. >> >> Note that you can also review the changes to the Appendix in >> the diff file located at: >> >> ftp://ftp.rfc-editor.org/in-notes/authors/rfc5090-last-diff.html >> >> All of the authors have signed off on the document, and we >> now await your approval before announcing the document. >> >> Thank you. >> >> RFC Editor >> >> >> On Tue, Jan 15, 2008 at 08:35:36PM +0200, Baruch Sterman wrote: >> > I hope this does it! >> > >> > >> > >> > Thanks to everyone. >> > >> > >> > >> > >> > >> > We would like to add at the top of the acknowledgements: >> > >> > >> > >> > The authors would like to thank Mike McCauley for his help in >> > working through the details of the examples. >> > >> > >> > >> > >> > >> > Here is the full version of examples. I highlighted places >> where there >> > are changes: >> > >> > >> > >> > >> > >> > A->B >> > >> > >> > >> > INVITE sip:97226491335@example.com SIP/2.0 >> > >> > From: <sip:12345678@example.com> >> > >> > To: <sip:97226491335@example.com> >> > >> > >> > >> > B->A >> > >> > >> > >> > SIP/2.0 100 Trying >> > >> > >> > >> > B->C >> > >> > >> > >> > Code = Access-Request (1) >> > >> > Packet identifier = 0x7c (124) >> > >> > Length = 97 >> > >> > Authenticator = F5E55840E324AA49D216D9DBD069807C >> > >> > NAS-IP-Address = 192.0.2.38 >> > >> > NAS-Port = 5 >> > >> > User-Name = 12345678 >> > >> > Digest-Method = INVITE >> > >> > Digest-URI = sip:97226491335@example.com >> > >> > Message-Authenticator = 7600D5B0BDC33987A60D5C6167B28B3B >> > >> > >> > >> > C->B >> > >> > >> > >> > Code = Access-challenge (11) >> > >> > Packet identifier = 0x7c (124) >> > >> > Length = 72 >> > >> > Authenticator = EBE20199C26EFEAD69BF8AB0E786CA4D >> > >> > Digest-Nonce = 3bada1a0 >> > >> > Digest-Realm = example.com >> > >> > Digest-Qop = auth >> > >> > Digest-Algorithm = MD5 >> > >> > Message-Authenticator = 5DA18ED3BBC9513DCBDE0A37F51B7DE3 >> > >> > >> > >> > B->A >> > >> > >> > >> > SIP/2.0 407 Proxy Authentication Required >> > >> > Proxy-Authenticate: Digest realm="example.com" >> > >> > ,nonce="3bada1a0",qop=auth,algorithm=MD5 >> > >> > Content-Length: 0 >> > >> > >> > >> > A->B >> > >> > >> > >> > ACK sip:97226491335@example.com SIP/2.0 >> > >> > >> > >> > A->B >> > >> > >> > >> > INVITE sip:97226491335@example.com SIP/2.0 >> > >> > Proxy-Authorization: Digest nonce="3bada1a0" >> > >> > ,realm="example.com" >> > >> > ,response="756933f735fcd93f90a4bbdd5467f263" >> > >> > ,uri="sip:97226491335@example.com",username="12345678" >> > >> > ,qop=auth,algorithm=MD5 >> > >> > ,cnonce="56593a80,nc="00000001" >> > >> > >> > >> > From: <sip:12345678@example.com> >> > >> > To: <sip:97226491335@example.com> >> > >> > >> > >> > B->C >> > >> > >> > >> > Code = Access-Request (1) >> > >> > Packet identifier = 0x7d (125) >> > >> > Length = 221 >> > >> > Authenticator = F5E55840E324AA49D216D9DBD069807D >> > >> > NAS-IP-Address = 192.0.2.38 >> > >> > NAS-Port = 5 >> > >> > User-Name = 12345678 >> > >> > Digest-Method = INVITE >> > >> > Digest-URI = sip:97226491335@example.com >> > >> > Digest-Realm = example.com >> > >> > Digest-Qop = auth >> > >> > Digest-Algorithm = MD5 >> > >> > Digest-CNonce = 56593a80 >> > >> > Digest-Nonce = 3bada1a0 >> > >> > Digest-Nonce-Count = 00000001 >> > >> > Digest-Response = 756933f735fcd93f90a4bbdd5467f263 >> > >> > Digest-Username = 12345678 >> > >> > SIP-AOR = sip:12345678@example.com >> > >> > Message-Authenticator = B6C7F7F8D11EF261A26933D234561A60 >> > >> > >> > >> > C->B >> > >> > >> > >> > Code = Access-Accept (2) >> > >> > Packet identifier = 0x7d (125) >> > >> > Length = 72 >> > >> > Authenticator = FFDD74D6470D21CB6FC4D6056BE245D2 >> > >> > Digest-Response-Auth = f847de948d12285f8f4199e366f1af21 >> > >> > Message-Authenticator = 7B76E2F10A7067AF601938BF13B0A62E >> > >> > >> > >> > B->A >> > >> > >> > >> > SIP/2.0 180 Ringing >> > >> > >> > >> > B->A >> > >> > >> > >> > SIP/2.0 200 OK >> > >> > >> > >> > A->B >> > >> > >> > >> > ACK sip:97226491335@example.com SIP/2.0 >> > >> > >> > >> > A second example shows the traffic between a web browser >> (A), a web >> > >> > server (B), and a RADIUS server (C). >> > >> > >> > >> > A->B >> > >> > >> > >> > GET /index.html HTTP/1.1 >> > >> > >> > >> > B->C >> > >> > Code = Access-Request (1) >> > >> > Packet identifier = 0x7e (126) >> > >> > Length = 78 >> > >> > Authenticator = F5E55840E324AA49D216D9DBD069807E >> > >> > NAS-IP-Address = 192.0.2.38 >> > >> > NAS-Port = 5 >> > >> > Digest-Method = GET >> > >> > Digest-URI = /index.html >> > >> > Message-Authenticator = E4C3D52DD0472663B49A6623B52C2A67 >> > >> > >> > >> > C->B >> > >> > >> > >> > Code = Access-challenge (11) >> > >> > Packet identifier = 0x7e (126) >> > >> > Length = 72 >> > >> > Authenticator = 2EE5EB01C02C773B6C6EC8515F565E8E >> > >> > Digest-Nonce = a3086ac8 >> > >> > Digest-Realm = example.com >> > >> > Digest-Qop = auth >> > >> > Digest-Algorithm = MD5 >> > >> > Message-Authenticator = 646DB2B0AF9E72FFF2CF7FEB33C4952A >> > >> > >> > >> > B->A >> > >> > >> > >> > HTTP/1.1 401 Authentication Required >> > >> > WWW-Authenticate: Digest realm="example.com", >> > >> > nonce="a3086ac8",qop=auth,algorithm=MD5 >> > >> > Content-Length: 0 >> > >> > >> > >> > A->B >> > >> > >> > >> > GET /index.html HTTP/1.1 >> > >> > Authorization: Digest algorithm=MD5,qop=auth,nonce="a3086ac8" >> > >> > ,nc="00000001",cnonce="56593a80" >> > >> > ,realm="example.com" >> > >> > ,response="a4fac45c27a30f4f244c54a2e99fa117" >> > >> > ,uri="/index.html",username="12345678" >> > >> > >> > >> > B->C >> > >> > >> > >> > Code = Access-Request (1) >> > >> > Packet identifier = 0x7f (127) >> > >> > Length = 176 >> > >> > Authenticator = F5E55840E324AA49D216D9DBD069807F >> > >> > NAS-IP-Address = 192.0.2.38 >> > >> > NAS-Port = 5 >> > >> > User-Name = 12345678 >> > >> > Digest-Method = GET >> > >> > Digest-URI = /index.html >> > >> > Digest-Realm = example.com >> > >> > Digest-Qop = auth >> > >> > Digest-Algorithm = MD5 >> > >> > Digest-CNonce = 56593a80 >> > >> > Digest-Nonce = a3086ac8 >> > >> > Digest-Nonce-Count = 00000001 >> > >> > Digest-Response = a4fac45c27a30f4f244c54a2e99fa117 >> > >> > Digest-Username = 12345678 >> > >> > Message-Authenticator = 237D85C1478C70C67EEAF22A9C456821 >> > >> > >> > >> > C->B >> > >> > >> > >> > Code = Access-Accept (2) >> > >> > Packet identifier = 0x7f (127) >> > >> > Length = 72 >> > >> > Authenticator = 6364FA6ED66012847C05A0895607C694 >> > >> > Digest-Response-Auth = 08c4e942d1d0a191de8b3aa98cd35147 >> > >> > Message-Authenticator = 43795A3166492AD2A890AD57D5F97D56 >> > >> > >> > >> > B->A >> > >> > >> > >> > HTTP/1.1 200 OK >> > >> > ... >> > >> > >> > >> > <html> >> > >> > ... >> > >> > >> > >> > -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- Re: AW: [ADs] Re: RFC 5090 -- draft-ietf-radext-r… Bernard_Aboba