RE: XAUTH is broken

[Tim Jenkins <tjenkins@TimeStep.com>]

> -----Original Message-----
> From: Joern Sierwald [mailto:joern.sierwald@datafellows.com]
> Sent: July 22, 1999 1:47 PM
> To: ipsec@lists.tislabs.com
> Subject: Re: XAUTH is broken
> 

> 
> IMHO the cfg-mode draft is fine. The xauth draft is wrong, 
> it wants the same message id for several cfg-mode exchanges.
> Whats the problem with each cfg-mode having a different id?

Because it makes state tracking more difficult. It also doesn't seem to make
alot of sense.

> 
> tephane and Tim try to change the specs (the cfg-mode)
> so that they don't have to change their implementation, 

This is a rather unfair and unreasonable accusation. If it turns
out that the best solution is to use a new exchange type, we would
still have to change our code, and it also one of the suggestions
that I already said I prefer.

> but I think we should simply delete the
> "All ISAKMP-Config messages in an extended authentication
>    transaction MUST contain the same ISAKMP-Config message ID."
> part from the xauth draft.

I don't think this is best. Again, tracking authentication over multiple
separate exchanges for the sole purpose of meeting another specification
doesn't seem to justify the cost in implementation.

> 
> ---
> Jörn Sierwald
> 
>

---

Follow-Ups:

• RE: XAUTH is broken
• From: Joern Sierwald <joern.sierwald@datafellows.com>

---

• Prev by Date: RE: Secret public keys
• Next by Date: Re: Checking incoming traffic against SPD
• Prev by thread: RE: XAUTH is broken
• Next by thread: RE: XAUTH is broken
• Index(es):
  • Main
  • Thread