Re: XAUTH is broken

[Joern Sierwald <joern.sierwald@datafellows.com>]

At 12:15 22.7.1999 -0400, you wrote:
>Is it broken or not?
>I think we have to come to an agreement very soon if we want people to
>implement xauth and get some interoperability testing in the coming
>bakeoffs.
>
>In previous messages Greg carter has brought up some good points regarding
>the isakmp header message id. Stephane Beaulieu, in a previous message,
>proposed a change in the draft that fixes the problem.
>(section 3: All ISAKMP_Config messages in an extended auth transaction
> will contain same message id...).
>
Stephane did not propose a change, he simply clarified the section.

Again, here is the problem. 
draft-ietf-ipsec-isakmp-mode-cfg-04.txt, chapter 3.1.1:

   As noted, the message ID in the ISAKMP header-- as used in the prf
   computation-- is unique to this exchange and MUST NOT be the same
   as the message ID of another exchange.

And "this exchange" is a config-exchange, which has two packets. Always.

As Grep has pointed out, the cfg-mode draft and the xauth draft 
contradict each other. 

IMHO the cfg-mode draft is fine. The xauth draft is wrong, 
it wants the same message id for several cfg-mode exchanges.
Whats the problem with each cfg-mode having a different id?

tephane and Tim try to change the specs (the cfg-mode)
so that they don't have to change their implementation, 
but I think we should simply delete the
"All ISAKMP-Config messages in an extended authentication
   transaction MUST contain the same ISAKMP-Config message ID."
part from the xauth draft.

---
Jörn Sierwald

---

References:

• RE: XAUTH is broken
• From: Greg Carter <greg.carter@entrust.com>
• Re: XAUTH is broken
• From: Ioannis Bonias <ibonias@raptor.com>

---

• Prev by Date: Re: More on a second IPSec algorithm
• Next by Date: Re: Checking incoming traffic against SPD
• Prev by thread: Re: XAUTH is broken
• Next by thread: RE: XAUTH is broken
• Index(es):
  • Main
  • Thread