[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: XAUTH is broken



Hi Tim,
Yes you do it, however you are are not compatible with Config mode.  It is
broken because Config mode states quite clearly that the Message ID is for
ONE config exchange (one sequence of Request-Reply or one of Set-Ack).  Then
you can clear state, if I wrote a Config implementation, then you sent me an
XAUTH exchange I would toss your SET message because I would have no idea
how to decrypt it.

To be compatible with XAUTH my generic Config implementation has to keep
indefinitely around state just in case you want to send me the second
Set-Ack transaction which needs the IV, Key etc... from the first.

Please see my other posts.
Bye. 

-----Original Message-----
From: Tim Jenkins [mailto:tjenkins@TimeStep.com]
Sent: Thursday, July 22, 1999 8:41 AM
To: Joern Sierwald; ipsec@lists.tislabs.com
Subject: RE: XAUTH is broken


Can you explain why you say that doing multiple config-exchanges with the
same message-id is not possible?

Is it because of the current definition of config-exchange?

(BTW, we do what you say cannot be done...)

--- 
Tim Jenkins                       TimeStep Corporation 
tjenkins@timestep.com          http://www.timestep.com 
(613) 599-3610 x4304               Fax: (613) 599-3617 

-----Original Message-----
From: Joern Sierwald [mailto:joern.sierwald@datafellows.com]
Sent: July 22, 1999 4:27 AM
To: ipsec@lists.tislabs.com
Subject: XAUTH is broken


About XAUTH: 
Doing multiple cfg-exchanges with the same message-id is just 
not possible. <remainder of post cut>


Follow-Ups: