RE: XAUTH is broken

[Tim Jenkins <tjenkins@TimeStep.com>]

Greg,
 
>From Stephane's reply to your other posts, I got the impression that he was
re-defining XAUTH to state that it used config-exchange message formats, and
that it was over-riding the 2 message limitation of that exchange.
 
However, it might make more sense that XAUTH be given a new exchange value
since it is open ended. This would also help with IKE state handling, since
it would make looking for the result of authentication a little easier. This
is as Joern's number 2 suggestion (copied below), and would be my preferred
route.
 
Another suggestion not mentioned is to remove the config-exchange
restriction from being only 2 messages.
 
>From Joern's earlier post:
 
<start insert>
1) Do two or three cfg-exchanges. message-id changes. 
The exchanges have the same ISAKMP cookies, thus the state 
information can be kept with the phase-1 data. 

2) Invent a new exchange. xauth would not use cfg-mode. 

3) Cut down XAUTH. Only one cfg-exchange is done: 

   IPSec Host                                              Edge Device 
   --------------                                    ----------------- 
                          <-- REQUEST(TYPE=RADIUS NAME="" PASSWORD="") 
REPLY(TYPE=RADIUS NAME="joe" PASSWORD="foobar") --> 

<end insert>

4) Change config-exchange to be open ended.

Opinions?

--- 
Tim Jenkins                       TimeStep Corporation 
tjenkins@timestep.com          http://www.timestep.com
<http://www.timestep.com/>  
(613) 599-3610 x4304               Fax: (613) 599-3617 

 

-----Original Message-----
From: Greg Carter [mailto:greg.carter@entrust.com]
Sent: July 22, 1999 9:48 AM
To: 'Tim Jenkins'; Joern Sierwald; ipsec@lists.tislabs.com
Subject: RE: XAUTH is broken



Hi Tim, 
Yes you do it, however you are are not compatible with Config mode.  It is 
broken because Config mode states quite clearly that the Message ID is for 
ONE config exchange (one sequence of Request-Reply or one of Set-Ack).  Then

you can clear state, if I wrote a Config implementation, then you sent me an

XAUTH exchange I would toss your SET message because I would have no idea 
how to decrypt it. 

To be compatible with XAUTH my generic Config implementation has to keep 
indefinitely around state just in case you want to send me the second 
Set-Ack transaction which needs the IV, Key etc... from the first. 

Please see my other posts. 
Bye. 

-----Original Message----- 
From: Tim Jenkins [ mailto:tjenkins@TimeStep.com
<mailto:tjenkins@TimeStep.com> ] 
Sent: Thursday, July 22, 1999 8:41 AM 
To: Joern Sierwald; ipsec@lists.tislabs.com 
Subject: RE: XAUTH is broken 


Can you explain why you say that doing multiple config-exchanges with the 
same message-id is not possible? 

Is it because of the current definition of config-exchange? 

(BTW, we do what you say cannot be done...) 

--- 
Tim Jenkins                       TimeStep Corporation 
tjenkins@timestep.com          http://www.timestep.com
<http://www.timestep.com>  
(613) 599-3610 x4304               Fax: (613) 599-3617 

-----Original Message----- 
From: Joern Sierwald [ mailto:joern.sierwald@datafellows.com
<mailto:joern.sierwald@datafellows.com> ] 
Sent: July 22, 1999 4:27 AM 
To: ipsec@lists.tislabs.com 
Subject: XAUTH is broken 


About XAUTH: 
Doing multiple cfg-exchanges with the same message-id is just 
not possible. <remainder of post cut>

---

• Prev by Date: RE: XAUTH is broken
• Next by Date: RE: Comment on xauth and hybrid
• Prev by thread: Re: XAUTH is broken
• Next by thread: RE: XAUTH is broken
• Index(es):
  • Main
  • Thread