[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: XAUTH is broken
Dan,
although I agree with you in this particular case, I think that in case of
ISAKMP-CFG it wasn't possible to pick a number from private space.
According to the draft, ISAKMP-CFG may take place _before_ phase 1,
when Vendor ID payloads are not yet exchanged and even DOI is not
yet determined. In general, I think that any exchange that may take place
before phase 1 or instead of it (new exchange for phase 1)
must get its number from range 0..32.
Regards,
Valery.
----- Original Message -----
From: Dan Harkins <dharkins@network-alchemy.com>
To: Stephane Beaulieu <sbeaulieu@TimeStep.com>
Cc: Joern Sierwald <joern.sierwald@datafellows.com>; <ipsec@lists.tislabs.com>
Sent: Friday, July 23, 1999 11:02 PM
Subject: Re: XAUTH is broken
I don't have any objection to a new exchange but I have a request.
Please don't just grab the next number in the _reserved_ _to_ _IANA_
space. Config-mode did this and I think it's a bad precedent. We've
already seen magic number conflicts (DH-less IKE and the Certicom
EC draft) from this sort of thing.
Pick a private use number and define some blob for a vendor ID which
says, "I do XAUTH++". When you receive a properly formatted "I do XAUTH++"
vendor ID payload you can know that each side has mutually agreed to
use the private use number and you can proceed to XAUTH++. Then you can
test this thing properly at the bakeoff and if, and when, it advances it
can be assigned a number in the proper manner.
Just grabbing numbers will result in chaos when IANA does assign the
next number in its space and people say, "whoa, you can't do that! The
Frobnitz draft is already using that number."
thank you,
Dan.
On Fri, 23 Jul 1999 09:51:41 EDT you wrote
> I think this is definitely the best way to proceed. It should have minimum
> impact on those already having implemented / deployed XAUTH, and results in
> a cleaner state machine for those who are just implementing it now.
>
> Before we make any changes to the doc. though I want to make sure that
> everyone is in agreement.
>
> Are there are any objections?
>
> > -----Original Message-----
> > From: Joern Sierwald [mailto:joern.sierwald@datafellows.com]
> > Sent: Friday, July 23, 1999 9:31 AM
> > To: ipsec@lists.tislabs.com; tjenkins@TimeStep.com
> > Subject: RE: XAUTH is broken
> >
> >
> > Conclusion:
> >
> > Best way is a new exchange. It will work exactly as specified in
> > the xauth draft, except the exchange number in the ISAKMP headers will
> > be a new XAUTH number instead of cfg-mode.
> >
> > A clarification: XAUTH ends with a SET and an ACK type packet.
> > SET and ACK are used only at the end of the exchange.
> > This way, the XAUTH exchange is not "open-ended",
> > it is just "variable length".
> >
> > As I am ignorant of the procedures... Who picks the number?
> >
> > Jörn
> >
> >
> >
References: