[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XAUTH is broken

To: Stephane Beaulieu <sbeaulieu@TimeStep.com>
Subject: Re: XAUTH is broken
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Fri, 23 Jul 1999 12:02:17 -0700
cc: Joern Sierwald <joern.sierwald@datafellows.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 23 Jul 1999 09:51:41 EDT." <319A1C5F94C8D11192DE00805FBBADDFC40FAB@exchange>
Sender: owner-ipsec@lists.tislabs.com

  I don't have any objection to a new exchange but I have a request. 
Please don't just grab the next number in the _reserved_ _to_ _IANA_ 
space. Config-mode did this and I think it's a bad precedent. We've 
already seen magic number conflicts (DH-less IKE and the Certicom
EC draft) from this sort of thing.

  Pick a private use number and define some blob for a vendor ID which
says, "I do XAUTH++". When you receive a properly formatted "I do XAUTH++"
vendor ID payload you can know that each side has mutually agreed to
use the private use number and you can proceed to XAUTH++. Then you can 
test this thing properly at the bakeoff and if, and when, it advances it 
can be assigned a number in the proper manner.

  Just grabbing numbers will result in chaos when IANA does assign the
next number in its space and people say, "whoa, you can't do that! The
Frobnitz draft is already using that number."

  thank you,

  Dan.

On Fri, 23 Jul 1999 09:51:41 EDT you wrote
> I think this is definitely the best way to proceed.  It should have minimum
> impact on those already having implemented / deployed XAUTH, and results in
> a cleaner state machine for those who are just implementing it now.  
> 
> Before we make any changes to the doc. though I want to make sure that
> everyone is in agreement.
> 
> Are there are any objections?
> 
> > -----Original Message-----
> > From: Joern Sierwald [mailto:joern.sierwald@datafellows.com]
> > Sent: Friday, July 23, 1999 9:31 AM
> > To: ipsec@lists.tislabs.com; tjenkins@TimeStep.com
> > Subject: RE: XAUTH is broken
> > 
> > 
> > Conclusion:
> > 
> > Best way is a new exchange. It will work exactly as specified in
> > the xauth draft, except the exchange number in the ISAKMP headers will
> > be a new XAUTH number instead of cfg-mode.
> > 
> > A clarification: XAUTH ends with a SET and an ACK type packet. 
> > SET and ACK are used only at the end of the exchange. 
> > This way, the XAUTH exchange is not "open-ended",
> > it is just "variable length".
> > 
> > As I am ignorant of the procedures... Who picks the number?
> > 
> > Jörn
> > 
> > 
> >

Follow-Ups:

Re: XAUTH is broken

From: "Valery Smyslov" <svan@trustworks.com>

Re: XAUTH is broken

From: Joern Sierwald <joern.sierwald@datafellows.com>

References:

RE: XAUTH is broken

From: Stephane Beaulieu <sbeaulieu@TimeStep.com>

Prev by Date: Aggressive mode fallback to main mode
Next by Date: RE: Secret public keys
Prev by thread: RE: XAUTH is broken
Next by thread: Re: XAUTH is broken
Index(es):
- Main
- Thread