[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: XAUTH is broken
Greg,
>From Stephane's reply to your other posts, I got the impression that he was
re-defining XAUTH to state that it used config-exchange message formats, and
that it was over-riding the 2 message limitation of that exchange.
However, it might make more sense that XAUTH be given a new exchange value
since it is open ended. This would also help with IKE state handling, since
it would make looking for the result of authentication a little easier. This
is as Joern's number 2 suggestion (copied below), and would be my preferred
route.
Another suggestion not mentioned is to remove the config-exchange
restriction from being only 2 messages.
>From Joern's earlier post:
<start insert>
1) Do two or three cfg-exchanges. message-id changes.
The exchanges have the same ISAKMP cookies, thus the state
information can be kept with the phase-1 data.
2) Invent a new exchange. xauth would not use cfg-mode.
3) Cut down XAUTH. Only one cfg-exchange is done:
IPSec Host Edge Device
-------------- -----------------
<-- REQUEST(TYPE=RADIUS NAME="" PASSWORD="")
REPLY(TYPE=RADIUS NAME="joe" PASSWORD="foobar") -->
<end insert>
4) Change config-exchange to be open ended.
Opinions?
---
Tim Jenkins TimeStep Corporation
tjenkins@timestep.com http://www.timestep.com
<http://www.timestep.com/>
(613) 599-3610 x4304 Fax: (613) 599-3617
-----Original Message-----
From: Greg Carter [mailto:greg.carter@entrust.com]
Sent: July 22, 1999 9:48 AM
To: 'Tim Jenkins'; Joern Sierwald; ipsec@lists.tislabs.com
Subject: RE: XAUTH is broken
Hi Tim,
Yes you do it, however you are are not compatible with Config mode. It is
broken because Config mode states quite clearly that the Message ID is for
ONE config exchange (one sequence of Request-Reply or one of Set-Ack). Then
you can clear state, if I wrote a Config implementation, then you sent me an
XAUTH exchange I would toss your SET message because I would have no idea
how to decrypt it.
To be compatible with XAUTH my generic Config implementation has to keep
indefinitely around state just in case you want to send me the second
Set-Ack transaction which needs the IV, Key etc... from the first.
Please see my other posts.
Bye.
-----Original Message-----
From: Tim Jenkins [ mailto:tjenkins@TimeStep.com
<mailto:tjenkins@TimeStep.com> ]
Sent: Thursday, July 22, 1999 8:41 AM
To: Joern Sierwald; ipsec@lists.tislabs.com
Subject: RE: XAUTH is broken
Can you explain why you say that doing multiple config-exchanges with the
same message-id is not possible?
Is it because of the current definition of config-exchange?
(BTW, we do what you say cannot be done...)
---
Tim Jenkins TimeStep Corporation
tjenkins@timestep.com http://www.timestep.com
<http://www.timestep.com>
(613) 599-3610 x4304 Fax: (613) 599-3617
-----Original Message-----
From: Joern Sierwald [ mailto:joern.sierwald@datafellows.com
<mailto:joern.sierwald@datafellows.com> ]
Sent: July 22, 1999 4:27 AM
To: ipsec@lists.tislabs.com
Subject: XAUTH is broken
About XAUTH:
Doing multiple cfg-exchanges with the same message-id is just
not possible. <remainder of post cut>