[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: XAUTH is broken
I think this is definitely the best way to proceed. It should have minimum
impact on those already having implemented / deployed XAUTH, and results in
a cleaner state machine for those who are just implementing it now.
Before we make any changes to the doc. though I want to make sure that
everyone is in agreement.
Are there are any objections?
> -----Original Message-----
> From: Joern Sierwald [mailto:joern.sierwald@datafellows.com]
> Sent: Friday, July 23, 1999 9:31 AM
> To: ipsec@lists.tislabs.com; tjenkins@TimeStep.com
> Subject: RE: XAUTH is broken
>
>
> Conclusion:
>
> Best way is a new exchange. It will work exactly as specified in
> the xauth draft, except the exchange number in the ISAKMP headers will
> be a new XAUTH number instead of cfg-mode.
>
> A clarification: XAUTH ends with a SET and an ACK type packet.
> SET and ACK are used only at the end of the exchange.
> This way, the XAUTH exchange is not "open-ended",
> it is just "variable length".
>
> As I am ignorant of the procedures... Who picks the number?
>
> Jörn
>
>
>
Follow-Ups: