[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
aggressive mode & draft-ietf-ipsec-isakmp-gss-auth-04.txt
Hello,
I have a question regarding the gssapi spec: draft-ietf-ipsec-isakmp-gss-auth-04.txt.
It doesn't seem like aggressive mode can work based on the comments in the draft,
yet the draft implies that aggressive mode is possible.
The draft comments that aggressive mode works for a single token exchange, and if
either side encounters GSS_S_CONTINUE_NEEDED, aggressive mode can't be used:
"Aggressive Mode works only for a single token exchange. If either
side encounters GSS_S_CONTINUE_NEEDED, Aggressive Mode cannot be used
and each side should fall back to Main Mode."
And for mutual authentication to occur, the mutual_req_flag should be specified to the
GSS_Init_sec_context on the initiating side.
Rfc2078, the GSSAPI document, specifies that:
"GSS_Init_sec_context() returns an output token to be passed to ther server, and
indicates GSS_S_CONTINUE_NEEDED status pending completion of the mutual authentication
sequence."
So, according to the GSS IKE draft, if GSS_S_CONTINUE_NEEDED is encountered then
aggressive mode can't be used, and if mutual authentication is specified, then
according to the GSSAPI spec, GSS_S_CONTINUE_NEEDED must be returned from the
GSS_Init_sec_context.
Am I reading too much into the above comments? Is the implication that if the CONTINUE_NEEDED
variable is encountered due to clock skew issues, then aggressive mode is not possible, but
it's ok if it's encountered due to needing mutual authentication.
So, in the normal aggressive mode case based on the last statement, we would have:
Initiator Responder
----------- -----------
GSS_Init_sec_context
returning
GSS_S_CONTINUE_NEEDED
HDR, SA, KE, Ni,
IDii, GSSi -->
GSS_Accept_sec_context
returning
GSS_S_COMPLETE
<-- HDR, SA, KE, Nr,
IDir, GSSr, HASH_R
GSS_Init_sec_context
returning
GSS_S_COMPLETE
HDR, HASH_I -->
Thanks,
Sheela