[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XAUTH is broken

To: ipsec@lists.tislabs.com
Subject: XAUTH is broken
From: Joern Sierwald <joern.sierwald@datafellows.com>
Date: Thu, 22 Jul 1999 11:27:23 +0300
Sender: owner-ipsec@lists.tislabs.com

About XAUTH:
Doing multiple cfg-exchanges with the same message-id is just
not possible. There are a several ways out of the mess:

1) Do two or three cfg-exchanges. message-id changes. 
The exchanges have the same ISAKMP cookies, thus the state 
information can be kept with the phase-1 data.

2) Invent a new exchange. xauth would not use cfg-mode.

3) Cut down XAUTH. Only one cfg-exchange is done:

   IPSec Host                                              Edge Device
   --------------                                    -----------------
                          <-- REQUEST(TYPE=RADIUS NAME="" PASSWORD="")
REPLY(TYPE=RADIUS NAME="joe" PASSWORD="foobar") -->

And that's it. If the password is wrong, the phase-1 is killed with 
an informational exchange carrying a notify payload AUTHENTICATION_FAILED.

I'd vote for 1).

Jörn Sierwald

Prev by Date: Re: Comment on xauth and hybrid
Next by Date: RE: KISS for PKIX. (Was: RE:Asymmetric authentication
Prev by thread: Re: Checking incoming traffic against SPD
Next by thread: RE: XAUTH is broken
Index(es):
- Main
- Thread