[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XAUTH is broken

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: Re: XAUTH is broken
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Mon, 26 Jul 1999 11:37:38 -0700
cc: Paul Koning <pkoning@xedia.com>, joern.sierwald@datafellows.com, ipsec@lists.tislabs.com
In-reply-to: Your message of "Mon, 26 Jul 1999 09:08:40 PDT." <379C8808.CB2A3B@redcreek.com>
Sender: owner-ipsec@lists.tislabs.com

  It also prevents conflicts. The first rev of the GSS-API draft used
the value 13 to represent the GSS-API Token Payload since that was
the next value in the payload value range from ISAKMP. Of course
that was before the Vendor ID payload got defined as, you guessed it,
value 13. There was a large OS vendor who implemented GSS-API with
the value 13 and they serious problems when given a Vendor ID payload.
There have also been conflicts with another IKE exchange draft and
another D-H group draft when the authors just take the next value
in the space that is reserved to IANA.

  Take a look at the GSS-API draft now. It uses private use payloads 
and attribute values and mentions that people have to agree on a Vendor
ID payload to pass and expect before using the private use values.
The Hybrid Mode draft does too. This is the way it's supposed to be done.

  IANA thinks the next ISAKMP payload is 14 and RFC2408 specifically says
under its IANA Considerations section:

  "ISAKMP is designed to provide security association negotiation and
   key management for many security protocols.  Requests for identifiers
   for additional security protocols must be accompanied by a
   standards-track RFC which describes the security protocol and its
   relationship to ISAKMP."

So the next standards-track RFC which comes down the pike is going to
be given 14. If that isn't Config-Mode then everyone who implememented
Config-Mode in shipping product is SOL. It's not a problem with IANA being 
inefficient it's that the procedure we've defined for the allocation of 
numbers (our own procedure) is not being followed. That and people shipping
code based on I-Ds which have not gone through the proper vetting process
and then using that as a sort of fait accompli.

  The "private" doesn't denote that its not for standardization. It's
a way of trying out extensions and experimenting with new things. 
Something like XAUTH is _exactly_ what it's for. 

  Dan.

On Mon, 26 Jul 1999 09:08:40 PDT you wrote
> Paul Koning wrote:
> > 
> <trimmed...> 
> > I don't understand the rationnale for using private numbers for
> > working group efforts.  The notion of "private" implies that it's for
> > purposes that aren't being standardized.
> > 
> > Is the problem that it's taking a really long time for IANA to assign
> > the number?  If the numbers could be assigned efficiently, it would be
> > perfectly straightforward to give a number to a draft as soon as the
> > draft is prepared.  If a draft ends up not being approved, or changes
> > in such a fashion that the number is no longer needed, it can either
> > be marked obsolete, or recycled.
> > 
> >         paul
> 
> The problem is that it's not clear that this will be standardized, and
> there is currently a healthy debate on as to whether this approach
> (xauth) is necessary or prudent. Assigning a number before the wg has
> actually committed to putting this on the standards track seems
> inappropriate.
> 
> Scott

Follow-Ups:

Re: XAUTH is broken

From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:

Re: XAUTH is broken

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: XAUTH is broken
Next by Date: Processing multiple phase 2 SA payloads
Prev by thread: Re: XAUTH is broken
Next by thread: Re: XAUTH is broken
Index(es):
- Main
- Thread