[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: XAUTH is broken

To: "'Joern Sierwald'" <joern.sierwald@datafellows.com>, ipsec@lists.tislabs.com
Subject: RE: XAUTH is broken
From: Greg Carter <greg.carter@entrust.com>
Date: Thu, 22 Jul 1999 14:21:30 -0400
Sender: owner-ipsec@lists.tislabs.com

Yes I prefer this, if XAUTH wants to use more than one Config exchange than
create a new attribute called

XAUTH_STATE

Set by the initiator and used by both initiator and responder to identify
XAUTH exchanges which span multiple Config exchanges.

The 4 exchange XAUTH is not ideal either, (above attribute would help fix).
If any one has actually used a token card they'll know that it is rather
easy to type in the wrong response, forcing another challenge.  This would
force a new phase 1 (at least how I read the draft) if the first XAUTH
failed, but all you want to do is prompt them again...

Bye.
-----Original Message-----
From: Joern Sierwald [mailto:joern.sierwald@datafellows.com]
Sent: Thursday, July 22, 1999 1:47 PM
To: ipsec@lists.tislabs.com
Subject: Re: XAUTH is broken

At 12:15 22.7.1999 -0400, you wrote:
>Is it broken or not?
>I think we have to come to an agreement very soon if we want people to
>implement xauth and get some interoperability testing in the coming
>bakeoffs.
>
>In previous messages Greg carter has brought up some good points regarding
>the isakmp header message id. Stephane Beaulieu, in a previous message,
>proposed a change in the draft that fixes the problem.
>(section 3: All ISAKMP_Config messages in an extended auth transaction
> will contain same message id...).
>
Stephane did not propose a change, he simply clarified the section.

Again, here is the problem. 
draft-ietf-ipsec-isakmp-mode-cfg-04.txt, chapter 3.1.1:

   As noted, the message ID in the ISAKMP header-- as used in the prf
   computation-- is unique to this exchange and MUST NOT be the same
   as the message ID of another exchange.

And "this exchange" is a config-exchange, which has two packets. Always.

As Grep has pointed out, the cfg-mode draft and the xauth draft 
contradict each other. 

IMHO the cfg-mode draft is fine. The xauth draft is wrong, 
it wants the same message id for several cfg-mode exchanges.
Whats the problem with each cfg-mode having a different id?

tephane and Tim try to change the specs (the cfg-mode)
so that they don't have to change their implementation, 
but I think we should simply delete the
"All ISAKMP-Config messages in an extended authentication
   transaction MUST contain the same ISAKMP-Config message ID."
part from the xauth draft.

---
Jörn Sierwald

Prev by Date: RE: Comment on xauth and hybrid
Next by Date: RE: Secret public keys
Prev by thread: RE: XAUTH is broken
Next by thread: RE: XAUTH is broken
Index(es):
- Main
- Thread