XAuth Vendor Interop List

From owner-ietf-xauth Mon Oct 23 10:16:32 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id KAA19115 for ietf-xauth-bks; Mon, 23 Oct 2000 10:16:32 -0700 (PDT) Received: from [165.227.249.17] (ip17.proper.com [165.227.249.17]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA19103 for ; Mon, 23 Oct 2000 10:16:29 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: Date: Mon, 23 Oct 2000 10:21:33 -0700 To: ietf-xauth@vpnc.org From: Paul Hoffman / VPNC Subject: Starting this list Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Greetings. The purpose of this list is to discuss the XAUTH protocol. This list was started so that current XAUTH implementors can discuss the current draft and make sure that they interoperate. XAUTH is out scope for the IPsec WG until the son-of-IKE document is finished, but some of you are already shipping products, and some of you are having interop problems. Please use this list to discuss the current draft and your implementations. Note that it is likely that the IPSRA WG will have a very different mechanism for getting remote access users into a gateway, and it is likely that this mechanism will be on standards track (whereas it is likely that XAUTH will not be on standards track any time soon). That should not color your discussion of XAUTH, but it should certainly be considered in your implementation plans. --Paul Hoffman, Director --VPN Consortium From owner-ietf-xauth Wed Nov 1 15:18:38 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id PAA13156 for ietf-xauth-bks; Wed, 1 Nov 2000 15:18:38 -0800 (PST) Received: from corvus.netcenter ([205.178.117.162]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA13151 for ; Wed, 1 Nov 2000 15:18:37 -0800 (PST) Received: by email.rapidstream.com with Internet Mail Service (5.5.2650.21) id ; Wed, 1 Nov 2000 15:24:23 -0800 Message-ID: <5F235E8F67EAD311993200D0B708A6D85AB8AD@email.rapidstream.com> From: Leemay Yen To: "'stephane@cisco.com'" , "'ietf-xauth@vpnc.org'" Cc: Leemay Yen Subject: Xauth Transaction Identifier Date: Wed, 1 Nov 2000 15:24:23 -0800 Importance: high X-Priority: 1 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, Stephane: Thank you in advance to answer my following questions about your xauth draft (Oct. 2000). 1. In Section 6, it says: "All ISAKMP-Config messages in an extended authentication transaction MUST contain the same ISAKMP-Config transaction identifier." Does it mean that a single "identifier" value shall be used in the whole xauth transaction ? Then if the whole xauth exchange looks like: Request --> <-- Reply Request --> <-- Reply Set --> <-- Ack Only one id value will be used no matter how many pairs of messages (Request/Reply, Set/Ack) ? 2. What is the starting value for this "identifier" ? Is it always incremented by 1 ? What will be the cases to use different identifier values ? 3. Should we change the identifier value for the "authentication failure retry" ? or even the re-authentication phase (per RADIUS, as described in section 6) ? In addition, have you thought about how to support "password change", which can be initiated by the end host or even the edge device ? Thanks again for your advise. Leemay Yen RapidStream, Inc. From owner-ietf-xauth Wed Nov 1 17:46:05 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id RAA16021 for ietf-xauth-bks; Wed, 1 Nov 2000 17:46:05 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA16017 for ; Wed, 1 Nov 2000 17:46:03 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id RAA28133; Wed, 1 Nov 2000 17:51:56 -0800 (PST) Received: from stephanent (franklin-dhcp-246-66.cisco.com [161.44.246.66]) by toque.cisco.com (Mirapoint) with SMTP id AAG11371; Wed, 1 Nov 2000 20:51:53 -0500 (EST) Message-ID: <00e001c0446f$b4046760$c82a9c18@cisco.com> From: "Stephane Beaulieu" To: "Leemay Yen" , Cc: "Leemay Yen" References: <5F235E8F67EAD311993200D0B708A6D85AB8AD@email.rapidstream.com> Subject: Re: Xauth Transaction Identifier Date: Wed, 1 Nov 2000 20:53:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, Comments inline. > > Thank you in advance to answer my following questions about > your xauth draft (Oct. 2000). > > 1. In Section 6, it says: > "All ISAKMP-Config messages in an extended authentication transaction > MUST contain the same ISAKMP-Config transaction identifier." > > Does it mean that a single "identifier" value shall be used in the whole > xauth > transaction ? Yes. > > Then if the whole xauth exchange looks like: > Request --> > <-- Reply > Request --> > <-- Reply > Set --> > <-- Ack > > Only one id value will be used no matter how many pairs of messages > (Request/Reply, Set/Ack) ? Correct > > 2. What is the starting value for this "identifier" ? > Is it always incremented by 1 ? > What will be the cases to use different identifier values ? The identifier is inherrited by the mode-cfg draft. I believe it can indeed be set to any number, and does not need to be sequential. The purpose of the identifier is to be able to distinguish several mode-cfg exchanges that may be occuring at the same time and/or to link several mode-cfg exchanges together (such as XAUTH does). Currently, I can't think of any situations that are documented by any vendors who support the mode-cfg draft that uses more than 1 mode-cfg exchange at a time. Though, it is conceivable, that someone would eventually build something on top of mode-cfg which might do this. > > 3. Should we change the identifier value for the "authentication failure > retry" ? No. The identifier should stay the same until the SET/ACK is complete. Once the SET/ACK is complete that identifier should not be used anymore. > or even the re-authentication phase (per RADIUS, as described in section 6) > ? Yes. In this case we use a new identifier. This is a whole new XAUTH exchange (even though it is with the same peer). > > In addition, have you thought about how to support "password change", which > can be initiated by the end host or even the edge device ? I would suggest the following for something initiated by the edge device. Client <--> GW <-- REQ (Username = '', pwd = '') REPLY (Username = 'joe', pwd = 'mypwd') --> <-- REQ (pwd = '', msg = 'Your password has expired, please enter a new password') REPLY (pwd = 'mynewpwd') --> <-- SET (OK) ACK() --> As for the Client side initiated change of password. I would presume that in systems that allow this, it could be done by the Client at any time after the tunnel comes up. For example, I'm actually tunneling into my VPN at Cisco using XAUTH with NT domain authentication. Using this configuration, I've just successfully changed my NT domain password on the corporate net. Please let me know if you can think of problems with other types of authentication systems in which this would not be possible. Regards, Stephane. > > Thanks again for your advise. > > Leemay Yen > RapidStream, Inc. > > From owner-ietf-xauth Wed Nov 1 18:33:56 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id SAA16929 for ietf-xauth-bks; Wed, 1 Nov 2000 18:33:56 -0800 (PST) Received: from corvus.netcenter ([205.178.117.162]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA16924 for ; Wed, 1 Nov 2000 18:33:55 -0800 (PST) Received: by email.rapidstream.com with Internet Mail Service (5.5.2650.21) id ; Wed, 1 Nov 2000 18:39:43 -0800 Message-ID: <5F235E8F67EAD311993200D0B708A6D85AB8AF@email.rapidstream.com> From: Leemay Yen To: "'Stephane Beaulieu'" , ietf-xauth@vpnc.org Cc: Leemay Yen Subject: RE: Xauth Transaction Identifier Date: Wed, 1 Nov 2000 18:39:36 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Stephane: Thanks for your answers. To follow up your suggestions for the change password support. Yes, I do think there might be some cases that client couldn't use the regular LAN traffic/protocol to change their passwords if they want to. For example, if the edge device does maintain its own authentication database or some RADIUS server does support password change but rely on the edge device to pass on the requests. Then there is a need to create such mechanism in xauth to do so. In your new draft, XAUTH_ANSWER is very specific to SecurID support. If we can relax the limitation, we may be able to allow the client to initiate the password change request. For example, Client <--> GW <-- REQ (Username = '', pwd = '') REPLY (Username = 'joe', pwd = 'mypwd') --> <-- REQ (answer = '', msg = 'Your password is about to expire, do you want to change your password ?") REPLY (answer = 'y') --> <<< passowrd change details...>>> <-- SET (OK) ACK() --> Or we could simply have another attribute "XAUTH_PASSWORD_CHANGE" to allow client to initiate the action. Just try to throw some ideas and point out the need for such features. Not sure if any other vendors have also thought about this ? Thanks. Leemay > In addition, have you thought about how to support "password change", which > can be initiated by the end host or even the edge device ? I would suggest the following for something initiated by the edge device. Client <--> GW <-- REQ (Username = '', pwd = '') REPLY (Username = 'joe', pwd = 'mypwd') --> <-- REQ (pwd = '', msg = 'Your password has expired, please enter a new password') REPLY (pwd = 'mynewpwd') --> <-- SET (OK) ACK() --> As for the Client side initiated change of password. I would presume that in systems that allow this, it could be done by the Client at any time after the tunnel comes up. For example, I'm actually tunneling into my VPN at Cisco using XAUTH with NT domain authentication. Using this configuration, I've just successfully changed my NT domain password on the corporate net. Please let me know if you can think of problems with other types of authentication systems in which this would not be possible. Regards, Stephane. > > Thanks again for your advise. > > Leemay Yen > RapidStream, Inc. > > From owner-ietf-xauth Thu Nov 2 06:39:57 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA13880 for ietf-xauth-bks; Thu, 2 Nov 2000 06:39:57 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA13874 for ; Thu, 2 Nov 2000 06:39:56 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA23249; Thu, 2 Nov 2000 06:45:52 -0800 (PST) Received: from stephanent (kan2-dhcp-161-44-214-158.cisco.com [161.44.214.158]) by toque.cisco.com (Mirapoint) with SMTP id AAG12096; Thu, 2 Nov 2000 09:45:49 -0500 (EST) Message-ID: <006f01c044db$d1dfb700$9ed62ca1@cisco.com> From: "Stephane Beaulieu" To: "Leemay Yen" , Cc: "Leemay Yen" References: <5F235E8F67EAD311993200D0B708A6D85AB8AF@email.rapidstream.com> Subject: Re: Xauth Transaction Identifier Date: Thu, 2 Nov 2000 09:47:27 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Leemay, > > In your new draft, XAUTH_ANSWER is very specific to > SecurID support. If we can relax the limitation, we > may be able to allow the client to initiate the password > change request. For example, XAUTH_ANSWER is not meant to be SecurID specific at all. Though I suppose it is the only example that I gave of it. > > Client <--> GW > <-- REQ (Username = '', pwd = '') > REPLY (Username = 'joe', pwd = 'mypwd') --> > <-- REQ (answer = '', msg = 'Your password is about > to expire, do you want to change your password ?") > REPLY (answer = 'y') --> > <<< passowrd change details...>>> > <-- SET (OK) > ACK() --> > What you've outlined here does work. The section you left empty (i.e. <>) would simply be replaced by <-- REQ (pwd = '', msg = 'Enter your new password') REPLY (pwd = 'mynewestpwd') --> Though in the case you've outlined, the password change is still more or less initiated by the edge device, though it leaves the option to the user whether or not he/she wishes to refuse to change their password. > Or we could simply have another attribute "XAUTH_PASSWORD_CHANGE" > to allow client to initiate the action. Do you still think this might be required given my comments above? Thanks for your input, Stephane. From owner-ietf-xauth Thu Nov 16 03:50:00 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id DAA06946 for ietf-xauth-bks; Thu, 16 Nov 2000 03:50:00 -0800 (PST) Received: from venus.roc.com ([203.197.20.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA06848 for ; Thu, 16 Nov 2000 03:49:39 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id FAA01399 for ; Thu, 16 Nov 2000 05:31:20 +0530 Message-Id: <200011160001.FAA01399@venus.roc.com> X-Sender: vamsi@172.16.1.10 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Thu, 16 Nov 2000 17:21:27 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: question Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:

Hi,

In 'Extended Authentication with in IKE(XAUTH) ' is it mandatory to support the IKECFG

configuration attributes?

regards

vamsi

**************************************************************
Wealth is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Nothing is lost
Health is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Something is lost
Character is lost=A0=A0=A0=A0=A0 Everything is lost

**************************************************************** From owner-ietf-xauth Thu Nov 16 06:11:12 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA20314 for ietf-xauth-bks; Thu, 16 Nov 2000 06:11:12 -0800 (PST) Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA20302 for ; Thu, 16 Nov 2000 06:11:09 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id GAA10373; Thu, 16 Nov 2000 06:17:44 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-131.cisco.com [161.44.214.131]) by toque.cisco.com (Mirapoint) with SMTP id AAI14406; Thu, 16 Nov 2000 09:17:41 -0500 (EST) Message-ID: <04e301c04fd8$382c2000$83d62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" References: <200011160001.FAA01399@venus.roc.com> Subject: Re: question Date: Thu, 16 Nov 2000 09:19:23 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_04E0_01C04FAE.4F4B69A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_04E0_01C04FAE.4F4B69A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable No. ----- Original Message -----=20 From: vamsi=20 To: ietf-xauth@vpnc.org=20 Sent: Thursday, November 16, 2000 6:51 AM Subject: question Hi, In 'Extended Authentication with in IKE(XAUTH) ' is it mandatory = to support the IKECFG =20 configuration attributes? regards vamsi=20 ************************************************************** Wealth is lost Nothing is lost Health is lost Something is lost Character is lost Everything is lost=20 ****************************************************************=20 ------=_NextPart_000_04E0_01C04FAE.4F4B69A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

No.

----- Original Message -----

From:=20 vamsi=20

To: ietf-xauth@vpnc.org

Sent: Thursday, November 16, = 2000 6:51=20 AM

Subject: question

Hi,

In 'Extended Authentication with in IKE(XAUTH) = ' is it=20 mandatory to support the IKECFG

configuration attributes?

regards

       = vamsi=20 =

***************************************************= ***********
Wealth=20 is = lost           =20 Nothing is lost
Health is=20 lost            = Something is lost
Character is lost     =20 Everything is lost=20 =

**************************************************************** = ------=_NextPart_000_04E0_01C04FAE.4F4B69A0-- From owner-ietf-xauth Tue Nov 21 02:39:01 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id CAA24239 for ietf-xauth-bks; Tue, 21 Nov 2000 02:39:01 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA24183 for ; Tue, 21 Nov 2000 02:38:45 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id EAA08297 for ; Tue, 21 Nov 2000 04:16:32 +0530 Message-Id: <200011202246.EAA08297@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 21 Nov 2000 16:06:18 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: vendor id Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:

Hi,

In the draft of ' Extended Authentication within IKE (XAUTH)' it is written as

" In order to ensure interoperability with

future and past implementations of XAUTH a Vendor ID has been added.

The Vendor ID payload is sent during the phase 1 exchange as per

[ISAKMP]. The vendor id payload SHOULD be authenticated whenever

possible. "

My question is in which message of phase 1 exchange should 'vendor ID payload' is sent ?

If the phase 1 is in Main mode then in which message and if it is Agressive Mode then in which

message?

bye

**************************************************************
Wealth is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Nothing is lost
Health is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Something is lost
Character is lost=A0=A0=A0=A0=A0 Everything is lost

**************************************************************** From owner-ietf-xauth Tue Nov 21 02:55:49 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id CAA26797 for ietf-xauth-bks; Tue, 21 Nov 2000 02:55:49 -0800 (PST) Received: from ns01.newbridge.com (ns01.newbridge.com [192.75.23.67]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA26793 for ; Tue, 21 Nov 2000 02:55:48 -0800 (PST) Received: (from smtpd@localhost) by ns01.newbridge.com (8.9.2/8.9.2) id FAA21066 for ; Tue, 21 Nov 2000 05:48:24 -0500 (EST) Received: from portal1.newbridge.com(192.75.23.76), claiming to be "kanata-mh1.ca.newbridge.com" via SMTP by ns01.newbridge.com, id smtpdAAA0c1wCW; Tue Nov 21 05:48:21 2000 Received: from kanmail02.ca.newbridge.com by kanata-mh1.ca.newbridge.com with ESMTP for ietf-xauth@vpnc.org; Tue, 21 Nov 2000 05:54:28 -0500 Received: from andrewk3 ([138.120.114.30]) by kanmail02.ca.newbridge.com (Netscape Messaging Server 3.6) with ESMTP id AAAF52; Tue, 21 Nov 2000 05:54:28 -0500 Reply-To: From: "Andrew Krywaniuk" To: "'vamsi'" , Subject: RE: vendor id Date: Tue, 21 Nov 2000 05:46:46 -0500 Message-Id: <004501c053a8$5a60ac30$1e72788a@andrewk3.ca.alcatel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-Reply-To: <200011202246.EAA08297@venus.roc.com> Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Vamsi, When to send vendor ids is not documented anywhere in the RFCs (not even in the expired extension methods draft). For simplicity's sake, I would recommend sending all vendor ids in the first two messages of the exchange. You will get better interoperability that way. Also, the XAuth draft tells you to include a private attribute within the SA payload, which is always sent in the first two messages of the exchange. If you don't send the vendor id immediately then the peer won't know how to interpret that attribute. Andrew -------------------------------------- Beauty with out truth is insubstantial. Truth without beauty is unbearable. -----Original Message----- From: owner-ietf-xauth@mail.vpnc.org [mailto:owner-ietf-xauth@mail.vpnc.org]On Behalf Of vamsi Sent: Tuesday, November 21, 2000 5:36 AM To: ietf-xauth@vpnc.org Subject: vendor id Hi, In the draft of ' Extended Authentication within IKE (XAUTH)' it is written as " In order to ensure interoperability with future and past implementations of XAUTH a Vendor ID has been added. The Vendor ID payload is sent during the phase 1 exchange as per [ISAKMP]. The vendor id payload SHOULD be authenticated whenever possible. " My question is in which message of phase 1 exchange should 'vendor ID payload' is sent ? If the phase 1 is in Main mode then in which message and if it is Agressive Mode then in which message? bye ************************************************************** Wealth is lost Nothing is lost Health is lost Something is lost Character is lost Everything is lost **************************************************************** From owner-ietf-xauth Tue Nov 21 16:50:25 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id QAA07908 for ietf-xauth-bks; Tue, 21 Nov 2000 16:50:25 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA07902 for ; Tue, 21 Nov 2000 16:50:22 -0800 (PST) Received: from cyphers.net ([64.220.173.131]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G4EL4E00.J1Z for ; Tue, 21 Nov 2000 17:50:38 -0800 Message-ID: <3A1B187F.44225C3C@cyphers.net> Date: Tue, 21 Nov 2000 16:51:11 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: List of vendors shipping XAuth Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: One of the stumbling blocks in trying to ship XAuth support has been the lack of information regarding shipping XAuth products. Is there any existing compilation of such information? We'd like to test our implementation against at least 3 three shipping or near shipping implementations within the next 3 weeks (ie we're shipping it real soon.) If there is not, I would volunteer to collect the information. I'd like to keep it simple like: Product Name Version Company XAuth Version Send xauth vendor ID (5 or 6?) Understand xauth vendor ID? Minimum XAuth version supported Maximum XAuth version supported Gateway or client Date shipping since or date expected to ship -- Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Tue Nov 21 16:52:04 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id QAA07954 for ietf-xauth-bks; Tue, 21 Nov 2000 16:52:04 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA07947 for ; Tue, 21 Nov 2000 16:52:03 -0800 (PST) Received: from cyphers.net ([64.220.173.131]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G4EL7700.91T for ; Tue, 21 Nov 2000 17:52:19 -0800 Message-ID: <3A1B18E5.30DEB01E@cyphers.net> Date: Tue, 21 Nov 2000 16:52:53 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: Re: List of vendors shipping XAuth References: <3A1B187F.44225C3C@cyphers.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Sorry, sent that half baked. One more question: Supports hybrid auth extensions? I imagine people would appreciate if all responses were sent directly to me with the title "XAUTH DATA" and I will collate and repost to this list. Will Price wrote: > > One of the stumbling blocks in trying to ship XAuth support has been the > lack of information regarding shipping XAuth products. Is there any > existing compilation of such information? We'd like to test our > implementation against at least 3 three shipping or near shipping > implementations within the next 3 weeks (ie we're shipping it real soon.) > > If there is not, I would volunteer to collect the information. I'd like to > keep it simple like: > > Product Name > Version > Company > XAuth Version > Send xauth vendor ID (5 or 6?) > Understand xauth vendor ID? > Minimum XAuth version supported > Maximum XAuth version supported > Gateway or client > Date shipping since or date expected to ship > > -- > > Will Price, Director of Engineering > PGP Security, Inc. > a division of Network Associates, Inc. -- Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Wed Nov 22 06:17:56 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA03400 for ietf-xauth-bks; Wed, 22 Nov 2000 06:17:56 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA03392 for ; Wed, 22 Nov 2000 06:17:54 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAB16240; Wed, 22 Nov 2000 06:18:24 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-131.cisco.com [161.44.214.131]) by toque.cisco.com (Mirapoint) with SMTP id AAL22195; Wed, 22 Nov 2000 09:18:18 -0500 (EST) Message-ID: <0fed01c0548f$4cf0cd40$83d62ca1@cisco.com> From: "Stephane Beaulieu" To: , References: <3A1B187F.44225C3C@cyphers.net> <3A1B18E5.30DEB01E@cyphers.net> Subject: Re: List of vendors shipping XAuth Date: Wed, 22 Nov 2000 09:20:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hey Will, Great idea. XAUTH has been around for about 2-3 years now. I haven't seen any major issues with it in the last year (other than backwards compatibility issues with the older versions). The idea of this mailing list was to have a forum to discuss technical roadblocks. So far, I haven't seen any. If we can gather this kind of data, it will help move the draft to RFC Informational, and then we can all move on (and interoperate, of course ). Stephane. ----- Original Message ----- From: "Will Price" To: Sent: Tuesday, November 21, 2000 7:52 PM Subject: Re: List of vendors shipping XAuth > Sorry, sent that half baked. One more question: > > Supports hybrid auth extensions? > > I imagine people would appreciate if all responses were sent directly to > me with the title "XAUTH DATA" and I will collate and repost to this list. > > > Will Price wrote: > > > > One of the stumbling blocks in trying to ship XAuth support has been the > > lack of information regarding shipping XAuth products. Is there any > > existing compilation of such information? We'd like to test our > > implementation against at least 3 three shipping or near shipping > > implementations within the next 3 weeks (ie we're shipping it real soon.) > > > > If there is not, I would volunteer to collect the information. I'd like to > > keep it simple like: > > > > Product Name > > Version > > Company > > XAuth Version > > Send xauth vendor ID (5 or 6?) > > Understand xauth vendor ID? > > Minimum XAuth version supported > > Maximum XAuth version supported > > Gateway or client > > Date shipping since or date expected to ship > > > > -- > > > > Will Price, Director of Engineering > > PGP Security, Inc. > > a division of Network Associates, Inc. > > -- > > Will Price, Director of Engineering > PGP Security, Inc. > a division of Network Associates, Inc. From owner-ietf-xauth Mon Nov 27 23:10:02 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id XAA24454 for ietf-xauth-bks; Mon, 27 Nov 2000 23:10:02 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA24294 for ; Mon, 27 Nov 2000 23:09:38 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id AAA08263 for ; Tue, 28 Nov 2000 00:48:05 +0530 Message-Id: <200011271918.AAA08263@venus.roc.com> X-Sender: vamsi@intotoinc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 28 Nov 2000 12:37:10 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: notify remote device about Xauth Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:

Hi,

It is neccessary that edge device should inform the remote device that Xauth follows once after completing the phase 1 exchange . (this is what they specified in Xauth draft)

We are any how exchanging the vendor Id payload in the first two messages of phase 1 which is

sufficient to notify a remote device that 'Xauth ' follows once after completion of Phase 1 exchanges.

In the Xauth draft they specified two methods to notify the remote device about Xauth :

1)Notification payloads with in Phase 1 exchange.

2)Notification via Authentication Type.

My question is why to use above two methods even though we already have 'Vendor ID ' option to notify the remote host about 'Xauth' ?

Which method is more justified to notify the remote device about Xauth either by using 'Vendor Id' or 'Notification payload ' or 'Notification via Authentication types' ?

bye

**************************************************************
Wealth is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Nothing is lost
Health is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Something is lost
Character is lost=A0=A0=A0=A0=A0 Everything is lost

**************************************************************** From owner-ietf-xauth Tue Nov 28 06:48:28 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA03583 for ietf-xauth-bks; Tue, 28 Nov 2000 06:48:28 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA03579 for ; Tue, 28 Nov 2000 06:48:27 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA21234; Tue, 28 Nov 2000 06:48:57 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-131.cisco.com [161.44.214.131]) by toque.cisco.com (Mirapoint) with SMTP id AAN13200; Tue, 28 Nov 2000 09:48:50 -0500 (EST) Message-ID: <185e01c0594a$9091f370$83d62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" References: <200011271918.AAA08263@venus.roc.com> Subject: Re: notify remote device about Xauth Date: Tue, 28 Nov 2000 09:50:35 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_185B_01C05920.A79EED90" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_185B_01C05920.A79EED90 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, 1) The Vendor ID payload says "I know how to speak XAUTH". It doesn't = say "We must do XAUTH". 2) The Vendor ID payload is not authenticated. To have successful interop, you'll have to use both Vendor ID and = Notification via Authentication Method Types. ----- Original Message -----=20 From: vamsi=20 To: ietf-xauth@vpnc.org=20 Sent: Tuesday, November 28, 2000 2:07 AM Subject: notify remote device about Xauth Hi, It is neccessary that edge device should inform the remote device = that Xauth follows once after completing the phase 1 exchange . (this is = what they specified in Xauth draft) We are any how exchanging the vendor Id payload in the first two = messages of phase 1 which is=20 sufficient to notify a remote device that 'Xauth ' follows once = after completion of Phase 1 exchanges. In the Xauth draft they specified two methods to notify the remote = device about Xauth : 1)Notification payloads with in Phase 1 exchange. 2)Notification via Authentication Type. My question is why to use above two methods even though we = already have 'Vendor ID ' option to notify the remote host about = 'Xauth' ? Which method is more justified to notify the remote device about = Xauth either by using 'Vendor Id' or 'Notification payload ' or = 'Notification via Authentication types' ? bye ************************************************************** Wealth is lost Nothing is lost Health is lost Something is lost Character is lost Everything is lost=20 ****************************************************************=20 ------=_NextPart_000_185B_01C05920.A79EED90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi,

1) The Vendor ID payload says = "I know how to=20 speak XAUTH". It doesn't say "We must do XAUTH".

2) The Vendor ID payload is not=20 authenticated.

To have successful interop, you'll have = to use both=20 Vendor ID and Notification via Authentication Method Types.

----- Original Message -----

From:=20 vamsi=20

To: ietf-xauth@vpnc.org

Sent: Tuesday, November 28, = 2000 2:07=20 AM

Subject: notify remote device = about=20 Xauth

Hi,

It is neccessary that edge device should inform=20 the remote device that Xauth follows once after = completing=20 the phase 1 exchange . (this is what they specified in Xauth = draft)

We are any how exchanging the vendor Id payload in the = first two=20 messages of phase 1 which is

sufficient to notify a remote device that = 'Xauth '=20 follows once after completion of Phase 1=20 exchanges.

In the Xauth draft they specified two methods to notify the = remote=20 device about Xauth :

1)Notification payloads with in Phase 1 exchange.

2)Notification via Authentication Type.

My question is why to = use above=20 two methods even though we already have = 'Vendor=20 ID ' option to notify the remote host about 'Xauth' = ?

Which method is more justified to notify the remote = device=20 about Xauth either by using 'Vendor Id' or 'Notification payload = '=20 or 'Notification via Authentication types' ?

bye

*****************************= *********************************
Wealth=20 is = lost           =20 Nothing is lost
Health is=20 lost            = Something is lost
Character is lost     =20 Everything is lost=20 =

**************************************************************** = ------=_NextPart_000_185B_01C05920.A79EED90-- From owner-ietf-xauth Wed Nov 29 23:17:49 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id XAA05088 for ietf-xauth-bks; Wed, 29 Nov 2000 23:17:49 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA05068 for ; Wed, 29 Nov 2000 23:17:42 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id AAA11561 for ; Thu, 30 Nov 2000 00:56:37 +0530 Message-Id: <200011291926.AAA11561@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Thu, 30 Nov 2000 12:45:23 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: missing ACK message Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:

Hi,

The following is the general Xauth transaction

IPSec Host = &nbs= p; &n= bsp; Edge Device

-------------- &n= bsp; = -----------------

= ; &nb= sp; &= nbsp; <-- REQUEST

REPLY -->

= ; &nb= sp; &= nbsp; = ; <-- SET

ACK -->

Xauth draft of section 5 says :

" The Extended Authentication transaction is terminated either when

the edge device starts a SET/ACK exchange which includes an

XAUTH_STATUS attribute or when the remote device sends a

XAUTH_STATUS attribute in a REPLY message. Please note that a

remote device can not set XAUTH_STATUS to anything but FAIL."

1) Xauth transaction is terminated when the edge device starts a SET/ACK exchange ,is that termination once after starting or the completion of SET/ACK exchange?

2)Should edge device wait for 'ACK' message from the IpsecHost?

3)What happens if by any chance that edge device will not recive the 'Ack' message from the remote device(Ipsec Host)?

bye

**************************************************************
Wealth is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Nothing is lost
Health is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Something is lost
Character is lost=A0=A0=A0=A0=A0 Everything is lost

**************************************************************** From owner-ietf-xauth Thu Nov 30 06:33:45 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA15466 for ietf-xauth-bks; Thu, 30 Nov 2000 06:33:45 -0800 (PST) Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.43.88]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA15462 for ; Thu, 30 Nov 2000 06:33:43 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-2.cisco.com (8.9.3/8.9.1) with ESMTP id GAA13034; Thu, 30 Nov 2000 06:34:18 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-131.cisco.com [161.44.214.131]) by toque.cisco.com (Mirapoint) with SMTP id AAN31741; Thu, 30 Nov 2000 09:34:14 -0500 (EST) Message-ID: <1f6101c05ada$dbaaad20$83d62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" References: <200011291926.AAA11561@venus.roc.com> Subject: Re: missing ACK message Date: Thu, 30 Nov 2000 09:35:59 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_1F5E_01C05AB0.F2CB7D60" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_1F5E_01C05AB0.F2CB7D60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable You've really got 2 options. 1 - Wait for the ACK, but don't let your state machine advance, and have = a timer that cleans everything up if the ACK never comes. You may even = want to retransmit your SET(STATUS=3DFAIL) 2 - Delete the phase 1 SA right away, and send a DELETE notify. If the = ACK comes, you'll ignore it because you won't recognize the cookies. Option #1 is a little more polite since the SET(STATUS=3DFAIL) may of = had gotten lost in transit, and the peer doesn't know what's going on if = he didn't receive the SET. If you retransmit the SET (when you haven't = received an ACK), then there's a better chance to make sure that the = Remote Access Client knows why the connection is being torn down, and = can notify the User. It's also a little bit more complex to implement. Option #2 will work just as good in most cases. It will clean up = rejected connections faster. It will also cause some "INVALID-COOKIE" = events, which most likely will end up in your logs. Stephane. ----- Original Message -----=20 From: vamsi=20 To: ietf-xauth@vpnc.org=20 Sent: Thursday, November 30, 2000 2:15 AM Subject: missing ACK message Hi, The following is the general Xauth transaction IPSec Host Edge Device -------------- ----------------- <-- REQUEST REPLY --> <-- SET ACK --> Xauth draft of section 5 says : " The Extended Authentication transaction is terminated either when the edge device starts a SET/ACK exchange which includes an XAUTH_STATUS attribute or when the remote device sends a XAUTH_STATUS attribute in a REPLY message. Please note that a remote device can not set XAUTH_STATUS to anything but FAIL." 1) Xauth transaction is terminated when the edge device starts = a SET/ACK exchange ,is that termination once after starting or the = completion of SET/ACK exchange? 2)Should edge device wait for 'ACK' message from the IpsecHost? 3)What happens if by any chance that edge device will not recive the = 'Ack' message from the remote device(Ipsec Host)? =20 bye ************************************************************** Wealth is lost Nothing is lost Health is lost Something is lost Character is lost Everything is lost=20 ****************************************************************=20 ------=_NextPart_000_1F5E_01C05AB0.F2CB7D60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

You've really got 2 = options.

1 - Wait for the ACK, but don't let = your state=20 machine advance, and have a timer that cleans everything up if the ACK = never=20 comes. You may even want to retransmit your = SET(STATUS=3DFAIL)

2 - Delete the phase 1 SA right away, = and send a=20 DELETE notify. If the ACK comes, you'll ignore it because you = won't=20 recognize the cookies.

Option #1 is a little more polite since = the=20 SET(STATUS=3DFAIL) may of had gotten lost in transit, and the peer = doesn't know=20 what's going on if=20 he didn't receive the SET. If you retransmit the SET (when you = haven't=20 received an ACK), then there's a better chance to make sure that the = Remote=20 Access Client knows why the connection is being torn down, and can = notify the=20 User. It's also a little bit more complex to = implement.

Option #2 will work just as good in = most=20 cases. It will clean up rejected connections faster. It will = also=20 cause some "INVALID-COOKIE" events, which most likely will end up in = your=20 logs.

Stephane.

----- Original Message -----

From:=20 vamsi=20

To: ietf-xauth@vpnc.org

Sent: Thursday, November 30, = 2000 2:15=20 AM

Subject: missing ACK = message

Hi,

The following is the general Xauth = transaction

IPSec=20 = Host &nb= sp; &nbs= p; = ; =20 Edge Device

=20 = -------------- = ; = &= nbsp;=20 -----------------

&n= bsp; &nb= sp; &nbs= p; =20 <-- REQUEST

REPLY -->

&n= bsp; &nb= sp; &nbs= p; = ; =20 <-- SET

ACK -->

Xauth draft of section 5 says :

" The Extended Authentication transaction is terminated = either=20 when

the edge device starts a SET/ACK exchange which = includes=20 an

XAUTH_STATUS attribute or when the remote device = sends=20 a

XAUTH_STATUS attribute in a REPLY message. = Please note=20 that a

remote device can not set XAUTH_STATUS to anything = but=20 FAIL."

1) Xauth transaction is terminated =20 when the edge device starts a SET/ACK = exchange =20 ,is that termination once after starting or the completion = of=20 SET/ACK exchange?

2)Should edge device wait for 'ACK' message from the=20 IpsecHost?

3)What happens if by any chance that edge device will = not=20 recive the 'Ack' message from the remote device(Ipsec Host)? =

bye

*********************************= *****************************
Wealth=20 is = lost           =20 Nothing is lost
Health is=20 lost            = Something is lost
Character is lost     =20 Everything is lost=20 =

**************************************************************** = ------=_NextPart_000_1F5E_01C05AB0.F2CB7D60-- From owner-ietf-xauth Mon Dec 4 04:01:09 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id EAA08448 for ietf-xauth-bks; Mon, 4 Dec 2000 04:01:09 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA08389 for ; Mon, 4 Dec 2000 03:59:37 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id FAA04659 for ; Mon, 4 Dec 2000 05:38:35 +0530 Message-Id: X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Mon, 04 Dec 2000 17:27:37 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: identifying the second request Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id EAA08445 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, In section 5 of Xauth Draft "Some mechanisms allow for another optional request of the passcode. IPSec Host Edge Device -------------- ----------------- <-- REQUEST(NAME="" PASSWORD="" PASSCODE="") REPLY(NAME="joe" PASSWORD="foobar" PASSCODE="323415") --> <-- REQUEST(NAME="" PASSWORD="" PASSCODE="") REPLY(NAME="joe" PASSWORD="foobar" PASSCODE="513212") --> <-- SET(STATUS=OK) ACK(STATUS) --> " 1)How ipsec host comes to know that one more request follows after the first request? ( here first request means "<-- REQUEST(NAME="" PASSWORD="" PASSCODE="")" and second request means request message from edge device in response to the reply message from ipsec host " <-- REQUEST(NAME="" PASSWORD="" PASSCODE="")" ) 2)Where I can get more information regarding SDI architecture? bye ************************************************************** Wealth is lost�� Nothing is lost Health is lost�� Something is lost Character is lost�� Everything is lost **************************************************************** From owner-ietf-xauth Thu Dec 7 16:34:31 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id QAA06380 for ietf-xauth-bks; Thu, 7 Dec 2000 16:34:31 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA06376 for ; Thu, 7 Dec 2000 16:34:30 -0800 (PST) Received: from cyphers.net ([161.69.248.229]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G5870J00.Q5B for ; Thu, 7 Dec 2000 17:33:55 -0800 Message-ID: <3A302D1B.94C52A9F@cyphers.net> Date: Thu, 07 Dec 2000 16:36:41 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: CHAP XAuth draft contradiction? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Line 1167 of draft 00 says the RADIUS CHAP hash should proceed as: "(ID+challenge+secret)" Line 408 of RFC 2138 (RADIUS) says that hash should proceed as: ID+secret+challenge. We used the interpreation from the XAuth draft, but one of the vendors we're testing with used the second interpretation. I have changed our implementation to use RFC 2138's method, but this should probably be clarified. -- Will Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Thu Dec 7 16:34:24 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id QAA06372 for ietf-xauth-bks; Thu, 7 Dec 2000 16:34:24 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA06366; Thu, 7 Dec 2000 16:34:22 -0800 (PST) Received: from cyphers.net ([161.69.248.229]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G5870B00.356; Thu, 7 Dec 2000 17:33:47 -0800 Message-ID: <3A302D14.EEA97DF@cyphers.net> Date: Thu, 07 Dec 2000 16:36:33 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org, ietf-ipsra@vpnc.org Subject: Call for implementation list XAuth Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a repeat of my prior message to collect data on all xauth implementations. I have received a number of responses, but I'm certain there are many more. Please send a reply to this message titled "XAUTH DATA" with your response to the questions below. I will collate the information and post it back to the xauth list: Product Name Version Company XAuth Version Send xauth vendor ID (5 or 6?) Understand xauth vendor ID? Minimum XAuth version supported Maximum XAuth version supported Gateway or client Date shipping since or date expected to ship Supports hybrid auth extensions? Thanks! -- Will Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Wed Dec 20 01:07:08 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id BAA07450 for ietf-xauth-bks; Wed, 20 Dec 2000 01:07:08 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA07287 for ; Wed, 20 Dec 2000 01:06:10 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id CAA02936 for ; Wed, 20 Dec 2000 02:46:47 +0530 Message-Id: <200012192116.CAA02936@venus.roc.com> X-Sender: vamsi@172.16.1.10 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Wed, 20 Dec 2000 14:34:52 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: Encryption bit of Isakmp header Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id BAA07447 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, The following is the Isakmp Header 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Initiator ! ! Cookie ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Responder ! ! Cookie ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Message ID ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I am enabling the encryption bit of the 'Flags' field in the Isakmp Header during the 'Transaction exchange' for Xauth, when we require the protected exchanges.(This is what I am doing in my implemetation) My doubt is,by just enabling the Encryption bit in the 'flags ' field of Isakmp header would fullfill our requirement or else what about the other bits like 'Commit bit' and 'Authentication bit'.? bye ************************************************************** Wealth is lost�� Nothing is lost Health is lost�� Something is lost Character is lost�� Everything is lost **************************************************************** From owner-ietf-xauth Tue Dec 26 04:01:31 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id EAA09098 for ietf-xauth-bks; Tue, 26 Dec 2000 04:01:31 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA09056 for ; Tue, 26 Dec 2000 04:00:48 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id FAA09763; Tue, 26 Dec 2000 05:42:04 +0530 Message-Id: <200012260012.FAA09763@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 26 Dec 2000 17:29:19 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: Transaction Exchange Packet Format Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id EAA09095 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I am assuming the Xauth Transaction exchange packet format is as follows. ________________________________ | | | Isakmp Header | ________________________________ | | | Hash Payload | ________________________________ | | | Attribute Payload | ________________________________ Please clarify me whether my assumption is correct or not. bye ************************************************************** Wealth is lost�� Nothing is lost Health is lost�� Something is lost Character is lost�� Everything is lost **************************************************************** From owner-ietf-xauth Thu Dec 28 12:30:50 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id MAA28531 for ietf-xauth-bks; Thu, 28 Dec 2000 12:30:50 -0800 (PST) Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA28527 for ; Thu, 28 Dec 2000 12:30:48 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id MAA24317; Thu, 28 Dec 2000 12:33:46 -0800 (PST) Received: from stephanent3 (kan-dial-117.cisco.com [10.88.15.117]) by toque.cisco.com (Mirapoint) with SMTP id AAO09351; Thu, 28 Dec 2000 15:33:34 -0500 (EST) Message-ID: <00a801c0710d$b22d4a40$750f580a@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" References: <200012260012.FAA09763@venus.roc.com> Subject: Re: Transaction Exchange Packet Format Date: Thu, 28 Dec 2000 15:27:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: yes ----- Original Message ----- From: "vamsi" To: Sent: Tuesday, December 26, 2000 6:59 AM Subject: Transaction Exchange Packet Format > Hi, > > I am assuming the Xauth Transaction exchange packet format is as follows. > ________________________________ > | > | > | Isakmp Header | > ________________________________ > | > | > | Hash Payload | > ________________________________ > | > | > | Attribute Payload | > ________________________________ > > Please clarify me whether my assumption is correct or not. > > bye > > > > ************************************************************** > Wealth is lost Nothing is lost > Health is lost Something is lost > Character is lost Everything is lost > > **************************************************************** From owner-ietf-xauth Thu Dec 28 21:22:18 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id VAA14768 for ietf-xauth-bks; Thu, 28 Dec 2000 21:22:18 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA14758 for ; Thu, 28 Dec 2000 21:22:12 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id XAA01807; Thu, 28 Dec 2000 23:03:52 +0530 Message-Id: <200012281733.XAA01807@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Fri, 29 Dec 2000 10:51:30 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: intialisation vector Cc: raghava@brahma.roc.com, srao@brahma.roc.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id VAA14764 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, Should we use the Intialisation vector of phase1 exchange or else should we produce fresh intialisation vector for the Xauth protected Transaction exchanges? bye ************************************************************** Wealth is lost�� Nothing is lost Health is lost�� Something is lost Character is lost�� Everything is lost **************************************************************** From owner-ietf-xauth Sat Dec 30 08:26:45 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA29129 for ietf-xauth-bks; Sat, 30 Dec 2000 08:26:45 -0800 (PST) Received: from dfmail.f-secure.com (dfmail.f-secure.com [194.252.6.39]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA29117 for ; Sat, 30 Dec 2000 08:26:42 -0800 (PST) Received: (qmail 31871 invoked by uid 0); 30 Dec 2000 16:30:48 -0000 Received: from fsav4im2.f-secure.com (HELO fsav4im2) (194.197.29.47) by dfmail.f-secure.com with SMTP; 30 Dec 2000 16:30:48 -0000 Received: from dfintra.f-secure.com ([194.197.29.8]:2827) (HELO dfintra.f-secure.com) by fsav4im2 ([194.197.29.47]:25) (F-Secure Anti-Virus for Internet Mail 5.0.53 Release) with SMTP; Sat, 30 Dec 2000 16:30:41 -0000 Received: (qmail 2601 invoked from network); 30 Dec 2000 16:30:47 -0000 Received: from info.f-secure.com (HELO F-Secure.com) (194.197.29.11) by dfintra.f-secure.com with SMTP; 30 Dec 2000 16:30:47 -0000 Message-ID: <3A4E0E26.CE6CCC5E@F-Secure.com> Date: Sat, 30 Dec 2000 18:32:38 +0200 From: Ari Huttunen Organization: F-Secure Corporation X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: X-auth attribute formats? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Is it the understanding that XAUTH-USER-NAME, XAUTH-USER-PASSWORD, etc. attributes MUST be null-terminated? XAUTH-CHALLENGE would *NOT* be NULL terminated? Similarly, MUST User-Name and User-Password be NULL terminated when sent to/from a RADIUS server? Ari -- Ari Huttunen phone: +358 9 2520 0700 Senior Software Engineer fax : +358 9 2520 5001 F-Secure Corporation http://www.F-Secure.com F-Secure products: Integrated Solutions for Enterprise Security From owner-ietf-xauth Sat Dec 30 11:09:57 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA09096 for ietf-xauth-bks; Sat, 30 Dec 2000 11:09:57 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA09092 for ; Sat, 30 Dec 2000 11:09:55 -0800 (PST) Received: from cyphers.net ([64.220.173.157]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G6EDHI00.I06; Sat, 30 Dec 2000 12:12:54 -0800 Message-ID: <3A4E33FD.C83FDA2@cyphers.net> Date: Sat, 30 Dec 2000 11:14:05 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Ari Huttunen CC: ietf-xauth@vpnc.org Subject: Re: X-auth attribute formats? References: <3A4E0E26.CE6CCC5E@F-Secure.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ari Huttunen wrote: > > Is it the understanding that XAUTH-USER-NAME, XAUTH-USER-PASSWORD, etc. > attributes MUST be null-terminated? XAUTH-CHALLENGE would *NOT* be > NULL terminated? Where are you getting the idea that any of them should be null terminated? I don't think any of them should, and I don't see it in the draft either. The attribute includes a size, so there is no need to null terminate. One early mistake I made was actually converting the challenge to an ASCII hex string like "0x0A0B0C" because that's what it looked like in the draft and it says "variable ASCII". Silly me. The challenge is a series of binary bytes. Again though, no null termination. > Similarly, MUST User-Name and User-Password be NULL terminated when > sent to/from a RADIUS server? That I don't know. -- Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Tue Jan 2 06:05:21 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA25145 for ietf-xauth-bks; Tue, 2 Jan 2001 06:05:21 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA25053 for ; Tue, 2 Jan 2001 06:00:49 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id HAA04912; Tue, 2 Jan 2001 07:41:32 +0530 Message-Id: <200101020211.HAA04912@venus.roc.com> X-Sender: vamsi@206.40.37.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 02 Jan 2001 16:57:19 +0530 To: Ari Huttunen From: Vamsi Krishna Subject: Re: X-auth attribute formats? Cc: ietf-xauth@vpnc.org In-Reply-To: <3A4E0E26.CE6CCC5E@F-Secure.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA25142 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 22:02 30.12.00 , Ari Huttunen wrote: >Is it the understanding that XAUTH-USER-NAME, XAUTH-USER-PASSWORD, etc. >attributes MUST be null-terminated? XAUTH-CHALLENGE would *NOT* be >NULL terminated? > >Similarly, MUST User-Name and User-Password be NULL terminated when >sent to/from a RADIUS server? A summary of the Attribute format in RADIUS is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- For User name Attribute Type .................... User Name Attrib Type (as per defined in Radius Rfc) Length................... 1(Type)+1(Length)+variable string(value) value....................... User name So UserName and User-Password lengths can be determined from the field ' Length 'so there is no need of null termination while sending to /receiving from the Radius server. > >Ari > >-- >Ari Huttunen�� phone: +358 9 2520 0700 >Senior Software Engineer�� fax� : +358 9 2520 5001 > >F-Secure Corporation�� http://www.F-Secure.com > >F-Secure products: Integrated Solutions for Enterprise Security > From owner-ietf-xauth Tue Jan 2 07:46:04 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA04007 for ietf-xauth-bks; Tue, 2 Jan 2001 07:46:04 -0800 (PST) Received: from dfmail.f-secure.com (dfmail.f-secure.com [194.252.6.39]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA04003 for ; Tue, 2 Jan 2001 07:46:02 -0800 (PST) Received: (qmail 5520 invoked by uid 0); 2 Jan 2001 15:50:24 -0000 Received: from fsav4im2.f-secure.com (HELO fsav4im2) (194.197.29.47) by dfmail.f-secure.com with SMTP; 2 Jan 2001 15:50:24 -0000 Received: from dfintra.f-secure.com ([194.197.29.8]:1048) (HELO dfintra.f-secure.com) by fsav4im2 ([194.197.29.47]:25) (F-Secure Anti-Virus for Internet Mail 5.0.53 Release) with SMTP; Tue, 2 Jan 2001 15:50:11 -0000 Received: (qmail 23205 invoked from network); 2 Jan 2001 15:50:23 -0000 Received: from fs129-152.f-secure.com (HELO F-Secure.com) (10.128.129.152) by dfintra.f-secure.com with SMTP; 2 Jan 2001 15:50:23 -0000 Message-ID: <3A51F92A.53B7AC33@F-Secure.com> Date: Tue, 02 Jan 2001 17:52:10 +0200 From: Ari Huttunen Organization: F-Secure Corporation X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Vamsi Krishna CC: ietf-xauth@vpnc.org Subject: Re: X-auth attribute formats? References: <200101020211.HAA04912@venus.roc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Vamsi Krishna wrote: > > At 22:02 30.12.00 , Ari Huttunen wrote: > >Is it the understanding that XAUTH-USER-NAME, XAUTH-USER-PASSWORD, etc. > >attributes MUST be null-terminated? XAUTH-CHALLENGE would *NOT* be > >NULL terminated? > > > >Similarly, MUST User-Name and User-Password be NULL terminated when > >sent to/from a RADIUS server? > A summary of the Attribute format in RADIUS is shown below. The fields are > transmitted from left to right. > > 0 1 2 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > | Type | Length | Value ... > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > > For User name Attribute > Type .................... User Name Attrib Type (as per > defined in > Radius Rfc) > Length................... 1(Type)+1(Length)+variable string(value) > value....................... User name > So UserName and User-Password lengths can be determined from the field ' > Length 'so there is no > need of null termination while sending to /receiving from the Radius > server. It's trivially clear that both xauth and radius attribute definitions can handle not having a NULL. It also seems to work with a NULL, at least with the radius server I tried. I also thought that we'd been sending NULLs in xauth attributes, but actually we don't so I'm not sure if xauth too can handle having NULLs; I mean actual implementations. In any case the draft could clarify what is meant by "Variable ASCII string" in each case. Ari -- Ari Huttunen phone: +358 9 2520 0700 Senior Software Engineer fax : +358 9 2520 5001 F-Secure Corporation http://www.F-Secure.com F-Secure products: Integrated Solutions for Enterprise Security From owner-ietf-xauth Wed Jan 3 07:02:07 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA07703 for ietf-xauth-bks; Wed, 3 Jan 2001 07:02:07 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA07697 for ; Wed, 3 Jan 2001 07:02:06 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id HAA21049; Wed, 3 Jan 2001 07:05:43 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-149.cisco.com [161.44.214.149]) by toque.cisco.com (Mirapoint) with SMTP id AAR08303; Wed, 3 Jan 2001 10:05:30 -0500 (EST) Message-ID: <007c01c07596$dd211190$95d62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" Cc: , References: <200012281733.XAA01807@venus.roc.com> Subject: Re: intialisation vector Date: Wed, 3 Jan 2001 10:07:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: You should follow the rules outlined in RFC 2409 which detail how to generate an IV for a post phase 1 exchange. ----- Original Message ----- From: "vamsi" To: Cc: ; Sent: Friday, December 29, 2000 12:21 AM Subject: intialisation vector > Hi, > Should we use the Intialisation vector of phase1 exchange or else should > we produce fresh intialisation vector for the Xauth protected Transaction > exchanges? > > bye > > > > ************************************************************** > Wealth is lost Nothing is lost > Health is lost Something is lost > Character is lost Everything is lost > > **************************************************************** From owner-ietf-xauth Mon Jan 8 15:39:11 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id PAA11321 for ietf-xauth-bks; Mon, 8 Jan 2001 15:39:11 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA11315 for ; Mon, 8 Jan 2001 15:39:09 -0800 (PST) Received: from cyphers.net (prime.cyphers.net [64.220.173.156]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G6VE1I00.T1M for ; Mon, 8 Jan 2001 16:44:06 -0800 Message-ID: <3A5A50C1.4ABA40F0@cyphers.net> Date: Mon, 08 Jan 2001 15:44:01 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: XAuth Vendor Interop Draft Content-Type: multipart/mixed; boundary="------------475CC505CEFB60B6EC07C6F8" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. --------------475CC505CEFB60B6EC07C6F8 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit This is a draft based on what people have sent in the last few weeks. I plan on updating this again based on any feedback I receive. Please send feedback to me titled "XAUTH DATA". Thanks. -- Will Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. --------------475CC505CEFB60B6EC07C6F8 Content-Type: text/html; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D534945"; name="XauthInterop.htm" Content-Transfer-Encoding: 7bit Content-Description: Unknown Document Content-Disposition: inline; filename="XauthInterop.htm" XAuth Vendor Interop List

Company	Product Name	Version	Xauth Version	Sends VendorID	Understands VendorID	Minimum Xauth Version	Maximum Xauth Version	Type	Supports Hybrid	Ship Date
Alcatel	Secure VPN Gateway	Current	5	No	No	5	5	GW/Client	No	Now
Cisco	VPN Client	3.0	6	Yes	Yes	6	6	Win32 Client	No	Q1 2001
Cisco	VPN Concentrator 3000	3.0	6	Yes	Yes	2	6	Gateway	No	Q1 2001
Cisco	VPN Concentrator 5000	?	6	?	?	?	?	Gateway	Yes	Q1 2001
Cisco	IOS Router Software	12.2.3.T	6	Yes	Yes	3	6	Gateway	No	Soon
Cisco	PIX	5.4	6	No	No	3	6	Gateway	No	Soon
F-Secure	F-Secure VPN+	5.30	6	Yes	Yes	2	6	GW/Client	No	Q2 2001
PGP Security	PGP Desktop Security	7.0.3	6	Yes	Yes	6	6	Win32 + Mac Client	Yes	Now
RapidStream	RapidStream Security Appliance	Release 3.0	6	Yes	Yes	6	6	Gateway	No	Q1 2001
SafeNet	SafeNet/Soft-PK	5.1.0	6	Yes	Yes	4	6	Win32 Client	No	Now
Secure Computing	Sidewinder	5.1 + Patch	6	Yes	Yes	5	6	Gateway	No	Q1 2001

--------------475CC505CEFB60B6EC07C6F8-- From owner-ietf-xauth Mon Jan 15 11:48:31 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id LAA20874 for ietf-xauth-bks; Mon, 15 Jan 2001 11:48:31 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA20868 for ; Mon, 15 Jan 2001 11:48:29 -0800 (PST) Received: from cyphers.net (prime.cyphers.net [64.220.173.156]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G7823I00.Q04 for ; Mon, 15 Jan 2001 12:54:54 -0800 Message-ID: <3A635551.8AA4E009@cyphers.net> Date: Mon, 15 Jan 2001 11:53:52 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: XAuth Vendor Interop Draft, V2 References: <3A5A50C1.4ABA40F0@cyphers.net> <048401c07f04$fe9ca790$abd62ca1@cisco.com> Content-Type: multipart/mixed; boundary="------------7F2A1B3852572E7305DB8069" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. --------------7F2A1B3852572E7305DB8069 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Here is an updated list which should be more readable to those folks who couldn't read the last version. This also has some changes based on feedback over the last week. I will continue to update this document for a while as I receive changes/additions. -- Will Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. --------------7F2A1B3852572E7305DB8069 Content-Type: application/zip; x-mac-type="5A495020"; x-mac-creator="53495478"; name="XauthInterop.xls.zip" Content-Transfer-Encoding: base64 Content-Description: Unknown Document Content-Disposition: inline; filename="XauthInterop.xls.zip" UEsDBBQAAAAIADdeLyp6DqkLtA4AAAA4AAAQABAAWGF1dGhJbnRlcm9wLnhscwUnDABaUElU WExTOFhDRUzsW31sFMcVn93b+9i9wxzGYAPGXsyXvzBnG4JDmmAC4UMN4GBCqEoEh72EK/ad fT7zITWJ2yYSrdrKUdKkalDDRxqlTZrQNmmDFJqDWCqJSANto9A2qkhRlbbKH6QhbSIRru/N zr69OdaRcR01bTKr2X3vzZuZ33szO/t25+70qxPOHfzJ1DdZQbqB+djlnM4CeTJFZJ6ijJUK /nIul3PEuc/S/1T6EPJUGDcfZA2yHzKOeRByCLIO2YAchhyBPA5yEeTx9hRgEyAXQ54IuQTy JMiTxZzAPCWP/ix98hJbX3jnX11SYcY4banAmyGVy7N28QpJ+d3P3fm3u7JKGRMTDtJtLMXS bCfbBtcUXK82FTNVwXlL9owIM8z1Gpv2s3bWz7rhiAOOvWw1S7LtHBNKMiwBdPIj2qqG/hVh zkj7x6QpTv/LoYcOjsGCnjJXiacF+pfGcwQJ7/GI6F8PReGG97O1laeC0QEgQf4meOiIdpz7 6c+QN7MeXANuS3R1mW3pRIdlfvzpRo4hriCG65UAPGdU8PF+OBexKRxZMT9P5Oenud7ztjaU 4Eq0fA2raOE2KmyT2sr1vsXPVXBWoB08/4LX+QOXN0K9CyDL3f28PYkrNbbK6trVCCvaM5I8 wFZaSWtX3C5RoWRQ8SrxDVuHedYpYSelEqd/lHvhQrx+WJdRrlwhn1Ugr9DKQQpP7apZVTPr Z86Mbam5bnO1w2yuqdBmwNpfLpV/cb3VebusVAUPh+muUkNMbgd41JoLj4+qQq2C1oTqIlbL mhjbgvJa0+lZsJurRceOoGpeFS9t3QJVG1gNHFA1v55cqaDGElbPFsud2djk/ji0vC6XLHGb uIbVwVxxO3XqX1G5oOY5Pi8Zey9XnXc3Zk2UK1xuMnZxZHL1KuXsUyhX2JV+9sPYcf33C+U1 w8jrh5HXesoxXrqIq3ABntAwcj/U8Gon4OAPFcobbXlkGPklWR4cpp3gsO2wK9q5X9VYdMCX w+uEwQC/Fg9q/DpxMMivJYM6v04aDPErG2T8OnnAn9uq4Ep7L6y4f8HwEfpo32FZmUaU/H1O nqQJJf+amydp/iZEpQocT8FT3scUrRQMcd5Bytg0NgPghhm9l4y7Ds9ok8GOK6B6HMsS8Uss q3YDuYDx0HZZqrsnntwLem3pVGd/R8ZcG++2oGCjle5LpJIAc1O8P7PDFDxEvO1WsrMP+GRn Kr16OUywW5OdUJiJ54sh+l2TSCa6+7tNqT7K43uulIOfNuztsWDStO9I9JjL4xkLAuv2/p6e VDrTZ67auy2d6KxgbH28J9HZnklb8W6z3eroTycye82lPT1diXiywwL711tdVrzPMpsbYhCJ fMHqA1tWQmu743thRVibAvaWRrMpFmuMoinQgmWiE/ozieQdYakDeNK3Jzqt3Qm0D4oWNjSa dWZbPNOxA1pZ2tUBzXYVUysb29aaoid0bH86bSUzYNDK2+Yv60oA7cP+d0PMsSzR15GC1rGG XRTBoCLZ3CTYSaIsBTYlM+l4JpU2m2MxtAjs8ipdCKUw8kvg7WP1unZzfao/Y6XN9tT2zO54 2oIp39jU0NTQ3LABHN2eSiWhpbbVm3xo1AJA2x7fbq21MuOJmo9V57V93s/NbohBCyvm2YaO c0m0uU5DleYYOraJOxYn08o2Gp4Sm11u9e3MpHpIDC0vaog1NBc7pteZa+IdwgFw893c32E7 ZmlHh9XXZ7alEtyFYEWONWkh9m4A57dx/i7o+SGm975l3+FsI2BNwfUEXP8I18kwBvNVo3IP XO9T9aH9GdBrMioPP476+qkLN+pDLxfrZ5Kn74aw0ah85LRR+f279KGXHsE7SD+zqwvyPv3M bk1/o9Wug3z2tSO8/NgLZ43zdxwAUsvl3jpgnF/XqvfeUqr3tu2HtgaNyoMPwPUI5CfF3amA rMyoPHAz1jfOrzitHxsYBDIn2teEzh7UsdtW70e50GNG5YtDiFfo5qeMuJ70wPd2LvdPvoTp vTeljfOJVdVMq0aMTrtcf+hom1H5p0aP+nNyuYtZwLQPbPst2mdj4fY96dgHfBTtywfltK/3 bnxJ791wydY5lIFrPWZmf0EJwZg8Cu/TW+BlKcG6wBYLov3lPNqPw3tRnPWBhI/Jzqw3vne2 4rKo9976DPZj4zuUcVZF6Ot94DfxK/odxhHrCnwuBn5FvcOPi7Z5P3l+Il3wQ9TpB9p9FP0h /JC1+zv80zxXBBzcoL/KbuPg2VzuzXPYFuQfOfPNHouTz3BbYe6JOjBehx/Th17HOXBC770j bPd16CRkLP+y/uPrn2P2ah/CvkDWgnNe3/HtHm5v5aHnnPahrSed8QG62pmPgCdrnF+9FeX6 mWfFOB+uxvaFP6VxJf7MrhbUy2vP9hHHa8vl6eq8/Np4ue4bczL6ma+X6UMPn+K2Ay/a3id8 1IUV9Fe6LyI253UP/HEUchbKWrA/KH8D2wf9J2xf4scb+yUvKr3khVV3suJD8wfwjLt9KmOv TsePPPjAjsC5EyYm0hN4YBmFWXbph+/8Zs22tiVbuLyWy+v4+atcMuBGGmw2BgKsTPkKlBzX nM9DX+Pa9/DzQXxHUJQyhT/kNXZMP/uCXffcEufaq98Kuga704lVihAT05DHWgcmIa/xchWO gVAZlfvgGAi45Roc2aBb3w/HAd0tD8AxYLjlQThaw255CI78+joc5/LqG3Dk1w/jPVhklw/y D2e4XIvwQ2dqEfnf/sQWUqOC7oImTj/bqgwOoEzhsgtwPsIGlNIsylQuOwdFf70BZFzPR3p+ 1GtFmebW/Q7IeB9+kp1+1qkb8OgjSDK3jxDJ2INOHzph4TLeh0F6UdILk14y5ehFSC/2oNPH OJL1fNfRKyLZVmpvPMlU1akb5Z8KUGZS3Qkki5GsmGRZkk0kmUL+KyEZY47eJA/ZZJLd854j KyVZ21EHXxnJzr7g9DGFZAfiTt2pJNM1RzaNZGWa0145yd7e5YzbdJK541ZBsscedvqtJNnW h7CPD/moMTaVn21OAU4hTuUYHM4HZT7iNOA04vzA+YkLABcgLghckLgQcCHidOAM4gzgdMEh ilK+hticAtxk4lTwLD6g7lKR83G6pNUu04AbT5p+wR2DOaAAKlvTPgeFTgikZVRDl+obwE0R nMoxTSUOMU0jDjFVCEyqwFTWapchpnGk6RfcMT4vA0LTPgeFDmIqpxr5mFSOKSo4n4TJxzFN Jy4fk0/C5JMw+SRMPoGJSZh8HFMR1cjH5JMwaRImjWOqJE4Ff5oCkyZh0jgmkzT9EheQuKDE 5SPTOLJxxOUj80vI/BzZDOIQWZVA5peQ+SVv+SVv+YW3QpK3/BImv+QtP8c0U3ABCVOAY5pF HGKaLTAFJEwBaaYHpJke8MQUkDAFJEwBCVOQY6ohDjHVEoeY6gSmoIQpKPkpKPkp6DmrgtLd F5QwBTmmesHhqlGOH+MEpwDXRBxiahaYQoCpnDCFAFM5tRkCTOWEKWR/BAU/ledhwid/OfkJ om2pvgGcsyLoHNM84hBTA3GIab7ApEuYdI5pHGnmY9IFpjIJk84xxaiGLtXPx2TwsSsmDscu TByuCBGByZDGzpDGzpDGzvBcpQxpPhnS2BnSfRfmmOYQh5jmEod+qhaYwhKmsIQpLGEKC0xR CVNYWjnDEqawtJpHOKYJxCGmicShn0oEpoiEKSJhikiYItITxsEUkfwUkTBFyE+KGuDReBmn iogaT1SUqAlEFRM1kagSoiYRNZmoUqLKiJpC1FSiphFVTtR0oiqIquTU6/Aa+2uYel3q99gD /HCu7mGM4MBIxaRIxY1YZ5DMjVirPCKfmSRzo+JZbl2Kimd79DHHo4+5Hn1UuxEhRac1soz3 UUsyNyquI5kbFde7EStFxfNI5kbFDW4ER+3NJ5kbFcc8ouJGj6i4ySMqbvaIihd4RMALPWTX eETFizyi4haPqPhaj6h4cUFUjLPNpHk3g6gqomYSNYuo2UTNIWouUdVE1RBVS1QdUfVEzSOq gaj5RMWIaiSqiahmohYQtZCoa4haRFQLUdcStVjccYtZrQ/fI0dyXxUeN6jF7Of8Fz+tzE3T YbVxPlgI0fFQLWQU4iKHi2iE6G+gAkaZKgRWNyf6Mo0nQs+zE6RtJ5cyeWDhvBPz1RWG196x HP3HtZNCT+ykstzdbNjkfEwJSPtFkB4sZVlTAezHCb8ifOBSpv1ZIn8jQTZi9PjH1gh3EFSm CiMcSgyC2JYQ+Cts/P+hEWOG/wTh94n56FKmPaGkzRUmjcLo8Y+tFS+SFZr4jO1SJo8HCraa ZDNGb8XYmvESmeHnL1D5lGnvv3ptkMnGjN6MsTXmZTImIH7w6FIm/97gva0nWzN6Yz4ua4L2 XZ1HOdZ4bUZ+Mq05StaExJdllzLt+wa3UGXwo7dmbMEPEXidvxbmUyYP9ws3e2XYowc/tnb8 kuywXyXzKdO2hzawvSwYjR1jacHwmyBRSf3Q3P/m5oeb3M2PdiZtfijO5oezdeAmHrxxqjVP 6hG8jdQZT1d/0pzB2j8WZ3yaE/oB3e/8/vsyv4vk33+jLCyun6X/r3Q5h7vFiue8OHfvI//4 YN2O6BP3hVjd3J/9Pgay34l5geWrxNxpE3MHd6wxAtwndPAXAfjJEX/dgTdsltn/Ezgl6kVh tcWNCPzMvWmpHYlgmGiuTmasdKrHxLdH1pFGHZx/7g+QGZdx1CAbrjzKMG7rSKf6Utsz5k17 OqwuezmITLnwq71ZxTcG989H+U997ZXX9jdMi97/EPiv/oOn0H+4O6+LcvQbxgCbmP3Lih3C jh6BfY/w1wCz/1OBfsXXnEHhz6MFfkTfr71pw1J8GKNtr+o6b4+Jdr2uFVH73sf73f5Vnks2 uWQzi0TtzsjZqfTOPizq4/VH60sFPIgPC5yLhf8dwHlRMH4mdctXo5YVq2/EpZ+XNXCkDS2j RPLpTApbxlKsG+bcOraNfemq6+On5vz1ZCR18Jm76ap7Gj5dbf9jnf6X+//3AFBLAQIUBxQA AAAIADdeLyp6DqkLtA4AAAA4AAAQABAAAAAAAAAAAAAAAAAAAABYYXV0aEludGVyb3AueGxz BScMAFpQSVRYTFM4WENFTFBLBQYAAAAAAQABAE4AAADyDgAAAAA= --------------7F2A1B3852572E7305DB8069-- From owner-ietf-xauth Fri Jan 19 03:08:39 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id DAA00568 for ietf-xauth-bks; Fri, 19 Jan 2001 03:08:39 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA00552 for ; Fri, 19 Jan 2001 03:08:12 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id EAA02371; Fri, 19 Jan 2001 04:51:57 +0530 Message-Id: <200101182321.EAA02371@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Fri, 19 Jan 2001 16:36:54 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: Basic,Variable Ascii string,Variable Cc: raghava@brahma.roc.com, srao@brahma.roc.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id DAA00565 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, The attributes in Xauth draft are as follows Attribute Value Type --------------------- ------ --------------------- XAUTH-TYPE 16520 Basic XAUTH-USER-NAME 16521 Variable ASCII string XAUTH-USER-PASSWORD 16522 Variable ASCII string XAUTH-PASSCODE 16523 Variable ASCII string XAUTH-MESSAGE 16524 Variable ASCII string XAUTH-CHALLENGE 16525 Variable ASCII string XAUTH-DOMAIN 16526 Variable ASCII string XAUTH-STATUS 16527 Basic XAUTH-NEXT-PIN 16528 Variable XAUTH-ANSWER 16529 Variable ASCII string My questions are 1)What is meant by basic? 2)In what way the 'variable ASCII string' and 'variable' differs? 3)I am assuming the following attributes comes under TV format a)XAUTH_TYPE b)XAUTH_STATUS simillarly I am assuming the remaining XAuth attributes comes under TLV format. Please let me know whether my assumptions regarding this attribute Type (TV/TLV) are correct or not. bye vamsi ************************************************************** Wealth is lost�� Nothing is lost Health is lost�� Something is lost Character is lost�� Everything is lost **************************************************************** From owner-ietf-xauth Fri Jan 19 06:26:21 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA17592 for ietf-xauth-bks; Fri, 19 Jan 2001 06:26:21 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA17587 for ; Fri, 19 Jan 2001 06:26:20 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA21417; Fri, 19 Jan 2001 06:31:20 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-171.cisco.com [161.44.214.171]) by toque.cisco.com (Mirapoint) with SMTP id AAU55400; Fri, 19 Jan 2001 09:31:03 -0500 (EST) Message-ID: <001b01c08224$b23a69a0$abd62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" Cc: , References: <200101182321.EAA02371@venus.roc.com> Subject: Re: Basic,Variable Ascii string,Variable Date: Fri, 19 Jan 2001 09:32:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > Hi, > > The attributes in Xauth draft are as follows > > > > Attribute Value Type > --------------------- ------ > --------------------- > XAUTH-TYPE 16520 Basic > XAUTH-USER-NAME 16521 Variable ASCII string > XAUTH-USER-PASSWORD 16522 Variable ASCII string > XAUTH-PASSCODE 16523 Variable ASCII string > XAUTH-MESSAGE 16524 Variable ASCII string > XAUTH-CHALLENGE 16525 Variable ASCII string > XAUTH-DOMAIN 16526 Variable ASCII string > XAUTH-STATUS 16527 Basic > XAUTH-NEXT-PIN 16528 Variable > XAUTH-ANSWER 16529 Variable ASCII string > > My questions are > 1)What is meant by basic? This is specified in RFC 2408. It's in the attribute encoding text. > 2)In what way the 'variable ASCII string' and 'variable' differs? Encoding is the same. It's just a hint to the implementors to say what type of data is in the attribute (i.e. binary vs. ascii text) > 3)I am assuming the following attributes comes under TV format > a)XAUTH_TYPE > b)XAUTH_STATUS > simillarly I am assuming the remaining XAuth attributes comes under TLV > format. yes > Please let me know whether my assumptions regarding this attribute Type > (TV/TLV) are correct or not. > > bye > vamsi > > > > ************************************************************** > Wealth is lost Nothing is lost > Health is lost Something is lost > Character is lost Everything is lost > > **************************************************************** From owner-ietf-xauth Mon Jan 22 15:52:21 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id PAA19581 for ietf-xauth-bks; Mon, 22 Jan 2001 15:52:21 -0800 (PST) Received: from cins.hanyang.ac.kr ([166.104.204.187]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA19575 for ; Mon, 22 Jan 2001 15:52:18 -0800 (PST) From: emed22@libero.it Received: by cins.hanyang.ac.kr id IAA283898; Tue, 23 Jan 2001 08:32:40 +0900 (KST) To: ietf-xauth@vpnc.org Subject: Obtain Biotech IPOs! 120 Date: Mon, 22 Jan 2001 18:56:04 Message-Id: <213.419456.809914@libero.it> Reply-To: emed22@libero.it Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by cins.hanyang.ac.kr id IAA283898 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:

Help Beta Test Our Site and Be Eligible to Purchase Shares= of=20 Future IPOs In Which We Participate**

eMedsecurities has selected you as a possible participant = to help=20 test our online stock-trading engine for knowledge-based investing = in the=20 life sciences. For your cooperation, you will be eligible = to purchase=20 shares of future IPOs in which we participate, for as long as y= ou=20 maintain your account with us. This is limited to only 50 = qualified=20 testers! Request M= ore Information.**

eMedsecurities=85 The Cure for the Common Portfolio!

eMedsecurities provides you with a wealth of information, = all=20 compiled in a single, easy-to-use resource. Learn about new r= esearch=20 and upcoming treatments for diabetes, glaucoma, cataract, obesity a= nd much more. Obtain critical investment information about the=20 companies that are developing these treatments. eMedsecuritie= s empowers=20 you to make more informed investment decisions. Request More Information.**

Participation i= n eMedsecurities's Beta Test allows you: