[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: XAUTH is broken
> -----Original Message-----
> From: Joern Sierwald [mailto:joern.sierwald@datafellows.com]
> Sent: July 22, 1999 1:47 PM
> To: ipsec@lists.tislabs.com
> Subject: Re: XAUTH is broken
>
>
> IMHO the cfg-mode draft is fine. The xauth draft is wrong,
> it wants the same message id for several cfg-mode exchanges.
> Whats the problem with each cfg-mode having a different id?
Because it makes state tracking more difficult. It also doesn't seem to make
alot of sense.
>
> tephane and Tim try to change the specs (the cfg-mode)
> so that they don't have to change their implementation,
This is a rather unfair and unreasonable accusation. If it turns
out that the best solution is to use a new exchange type, we would
still have to change our code, and it also one of the suggestions
that I already said I prefer.
> but I think we should simply delete the
> "All ISAKMP-Config messages in an extended authentication
> transaction MUST contain the same ISAKMP-Config message ID."
> part from the xauth draft.
I don't think this is best. Again, tracking authentication over multiple
separate exchanges for the sole purpose of meeting another specification
doesn't seem to justify the cost in implementation.
>
> ---
> Jörn Sierwald
>
>
Follow-Ups: