[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XAUTH is broken

To: Greg Carter <greg.carter@entrust.com>
Subject: Re: XAUTH is broken
From: Ioannis Bonias <ibonias@raptor.com>
Date: Thu, 22 Jul 1999 12:15:06 -0400
CC: "'Tim Jenkins'" <tjenkins@TimeStep.com>, Joern Sierwald <joern.sierwald@datafellows.com>, ipsec@lists.tislabs.com
Organization: Raptor Systems, Inc
References: <01E1D01C12D7D211AFC70090273D20B1B8F8E5@sothmxs06.entrust.com>
Sender: owner-ipsec@lists.tislabs.com

Is it broken or not?
I think we have to come to an agreement very soon if we want people to
implement xauth and get some interoperability testing in the coming
bakeoffs.

In previous messages Greg carter has brought up some good points regarding
the isakmp header message id. Stephane Beaulieu, in a previous message,
proposed a change in the draft that fixes the problem.
(section 3: All ISAKMP_Config messages in an extended auth transaction
 will contain same message id...).

The main point that Greg raised was how someone determines at any given time
of a config mode exchange if should wait for another message or clear state.
Before we answer this question i suggest that we clearly state in the draft in
section 2, 1st paragraph, that an xauth session  MUST always end with
a SET/ACKconfig mode exchange.  Then the answer to the question becomes trivial:
if the FIRST attribute in an ISAKMP_CFG_REQUEST has value in closed interval
[13,21] then you know this is an xauth exchange. Therefore the responder
knows that the exchange is over when sending an ACK and the initiator
knows it is over when receiving the ACK.

Note that any other config mode exchange where the FIRST attribute value is not in [13,21]
must be treated as a single config mode request/reply or set/ack exchange and therefore
the responder/initiator clear state after sent/received reply.

yannis

Greg Carter wrote:

> Hi Tim,
> Yes you do it, however you are are not compatible with Config mode.  It is
> broken because Config mode states quite clearly that the Message ID is for
> ONE config exchange (one sequence of Request-Reply or one of Set-Ack).  Then
> you can clear state, if I wrote a Config implementation, then you sent me an
> XAUTH exchange I would toss your SET message because I would have no idea
> how to decrypt it.
>
> To be compatible with XAUTH my generic Config implementation has to keep
> indefinitely around state just in case you want to send me the second
> Set-Ack transaction which needs the IV, Key etc... from the first.
>
> Please see my other posts.
> Bye.
>
> -----Original Message-----
> From: Tim Jenkins [mailto:tjenkins@TimeStep.com]
> Sent: Thursday, July 22, 1999 8:41 AM
> To: Joern Sierwald; ipsec@lists.tislabs.com
> Subject: RE: XAUTH is broken
>
> Can you explain why you say that doing multiple config-exchanges with the
> same message-id is not possible?
>
> Is it because of the current definition of config-exchange?
>
> (BTW, we do what you say cannot be done...)
>
> ---
> Tim Jenkins                       TimeStep Corporation
> tjenkins@timestep.com          http://www.timestep.com
> (613) 599-3610 x4304               Fax: (613) 599-3617
>
> -----Original Message-----
> From: Joern Sierwald [mailto:joern.sierwald@datafellows.com]
> Sent: July 22, 1999 4:27 AM
> To: ipsec@lists.tislabs.com
> Subject: XAUTH is broken
>
> About XAUTH:
> Doing multiple cfg-exchanges with the same message-id is just
> not possible. <remainder of post cut>

--
Ioannis Bonias, PhD
Axent Technologies, INC. /Raptor Division
email : ibonias@raptor.com
phone : 781.530.2359
fax   : 781.487.9372

Follow-Ups:

Re: XAUTH is broken

From: Joern Sierwald <joern.sierwald@datafellows.com>

References:

RE: XAUTH is broken

From: Greg Carter <greg.carter@entrust.com>

Prev by Date: RE: Comment on xauth and hybrid
Next by Date: Re: Comment on xauth and hybrid
Prev by thread: RE: XAUTH is broken
Next by thread: Re: XAUTH is broken
Index(es):
- Main
- Thread