[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue with GSSAPI and the ISAKMP/Oakley resolution document

To: ipsec@tis.com
Subject: Issue with GSSAPI and the ISAKMP/Oakley resolution document
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: Tue, 28 Oct 1997 18:50:53 -0500
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com

Hi all,

	My apologies for not having a chance to look at this sooner, but
Morton's law has unfortunately been applying in my life --- when it
rains, it pours....

	I've been looking over the GSSAPI authentication in the
ISAKMP/Oakley document, and I think there's a potential problem in that
the text appears to assume that a GSSAPI exchange is a single
round-trip.  In fact, a GSSAPI mechanism can have any number of whole
(or a half) round trip.  So if hosts A and B are engaging in a GSSAPI
exchange, all of the following might happen, depending on the GSSAPI
mechanism:

	A --> B

	A --> B		B --> A

	A --> B		B --> A		A --> B		

	A --> B		B --> A		A --> B		B --> A

		etc.

The text seems to presume the second case above, which is A sends a
token to B, and then B sends a token back to A.  

	However, this is not general enough.  In fact, Mike Swift from
Microsoft just submitted a GSSAPI mechanism for supporting Kerberos 5
user-to-user authentication which requires two full round trips of token
exchanges (draft-ietf-cat-user2user-00.txt).  

	This may simply require a simple textual fix to the GSSAPI
section of ISAKMP/Oakley.  However, the fix may be more complex than
that, since the ISAKMP/Oakley document appears to assume a fixed number
of round-trips, and the GSSAPI mechanism violates this assumption.

							- Ted

Prev by Date: AH/ESP Last Call Results
Next by Date: Re: draft of the ISAKMP/Oakley draft
Prev by thread: Re: AH/ESP Last Call Results
Next by thread: RE: Issue with GSSAPI and the ISAKMP/Oakley resolution document
Index(es):
- Main
- Thread