From owner-ietf-xauth Mon Oct 23 10:16:32 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id KAA19115 for ietf-xauth-bks; Mon, 23 Oct 2000 10:16:32 -0700 (PDT) Received: from [165.227.249.17] (ip17.proper.com [165.227.249.17]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA19103 for ; Mon, 23 Oct 2000 10:16:29 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffvpnc@mail.vpnc.org Message-Id: Date: Mon, 23 Oct 2000 10:21:33 -0700 To: ietf-xauth@vpnc.org From: Paul Hoffman / VPNC Subject: Starting this list Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Greetings. The purpose of this list is to discuss the XAUTH protocol. This list was started so that current XAUTH implementors can discuss the current draft and make sure that they interoperate. XAUTH is out scope for the IPsec WG until the son-of-IKE document is finished, but some of you are already shipping products, and some of you are having interop problems. Please use this list to discuss the current draft and your implementations. Note that it is likely that the IPSRA WG will have a very different mechanism for getting remote access users into a gateway, and it is likely that this mechanism will be on standards track (whereas it is likely that XAUTH will not be on standards track any time soon). That should not color your discussion of XAUTH, but it should certainly be considered in your implementation plans. --Paul Hoffman, Director --VPN Consortium From owner-ietf-xauth Wed Nov 1 15:18:38 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id PAA13156 for ietf-xauth-bks; Wed, 1 Nov 2000 15:18:38 -0800 (PST) Received: from corvus.netcenter ([205.178.117.162]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA13151 for ; Wed, 1 Nov 2000 15:18:37 -0800 (PST) Received: by email.rapidstream.com with Internet Mail Service (5.5.2650.21) id ; Wed, 1 Nov 2000 15:24:23 -0800 Message-ID: <5F235E8F67EAD311993200D0B708A6D85AB8AD@email.rapidstream.com> From: Leemay Yen To: "'stephane@cisco.com'" , "'ietf-xauth@vpnc.org'" Cc: Leemay Yen Subject: Xauth Transaction Identifier Date: Wed, 1 Nov 2000 15:24:23 -0800 Importance: high X-Priority: 1 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, Stephane: Thank you in advance to answer my following questions about your xauth draft (Oct. 2000). 1. In Section 6, it says: "All ISAKMP-Config messages in an extended authentication transaction MUST contain the same ISAKMP-Config transaction identifier." Does it mean that a single "identifier" value shall be used in the whole xauth transaction ? Then if the whole xauth exchange looks like: Request --> <-- Reply Request --> <-- Reply Set --> <-- Ack Only one id value will be used no matter how many pairs of messages (Request/Reply, Set/Ack) ? 2. What is the starting value for this "identifier" ? Is it always incremented by 1 ? What will be the cases to use different identifier values ? 3. Should we change the identifier value for the "authentication failure retry" ? or even the re-authentication phase (per RADIUS, as described in section 6) ? In addition, have you thought about how to support "password change", which can be initiated by the end host or even the edge device ? Thanks again for your advise. Leemay Yen RapidStream, Inc. From owner-ietf-xauth Wed Nov 1 17:46:05 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id RAA16021 for ietf-xauth-bks; Wed, 1 Nov 2000 17:46:05 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA16017 for ; Wed, 1 Nov 2000 17:46:03 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id RAA28133; Wed, 1 Nov 2000 17:51:56 -0800 (PST) Received: from stephanent (franklin-dhcp-246-66.cisco.com [161.44.246.66]) by toque.cisco.com (Mirapoint) with SMTP id AAG11371; Wed, 1 Nov 2000 20:51:53 -0500 (EST) Message-ID: <00e001c0446f$b4046760$c82a9c18@cisco.com> From: "Stephane Beaulieu" To: "Leemay Yen" , Cc: "Leemay Yen" References: <5F235E8F67EAD311993200D0B708A6D85AB8AD@email.rapidstream.com> Subject: Re: Xauth Transaction Identifier Date: Wed, 1 Nov 2000 20:53:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, Comments inline. > > Thank you in advance to answer my following questions about > your xauth draft (Oct. 2000). > > 1. In Section 6, it says: > "All ISAKMP-Config messages in an extended authentication transaction > MUST contain the same ISAKMP-Config transaction identifier." > > Does it mean that a single "identifier" value shall be used in the whole > xauth > transaction ? Yes. > > Then if the whole xauth exchange looks like: > Request --> > <-- Reply > Request --> > <-- Reply > Set --> > <-- Ack > > Only one id value will be used no matter how many pairs of messages > (Request/Reply, Set/Ack) ? Correct > > 2. What is the starting value for this "identifier" ? > Is it always incremented by 1 ? > What will be the cases to use different identifier values ? The identifier is inherrited by the mode-cfg draft. I believe it can indeed be set to any number, and does not need to be sequential. The purpose of the identifier is to be able to distinguish several mode-cfg exchanges that may be occuring at the same time and/or to link several mode-cfg exchanges together (such as XAUTH does). Currently, I can't think of any situations that are documented by any vendors who support the mode-cfg draft that uses more than 1 mode-cfg exchange at a time. Though, it is conceivable, that someone would eventually build something on top of mode-cfg which might do this. > > 3. Should we change the identifier value for the "authentication failure > retry" ? No. The identifier should stay the same until the SET/ACK is complete. Once the SET/ACK is complete that identifier should not be used anymore. > or even the re-authentication phase (per RADIUS, as described in section 6) > ? Yes. In this case we use a new identifier. This is a whole new XAUTH exchange (even though it is with the same peer). > > In addition, have you thought about how to support "password change", which > can be initiated by the end host or even the edge device ? I would suggest the following for something initiated by the edge device. Client <--> GW <-- REQ (Username = '', pwd = '') REPLY (Username = 'joe', pwd = 'mypwd') --> <-- REQ (pwd = '', msg = 'Your password has expired, please enter a new password') REPLY (pwd = 'mynewpwd') --> <-- SET (OK) ACK() --> As for the Client side initiated change of password. I would presume that in systems that allow this, it could be done by the Client at any time after the tunnel comes up. For example, I'm actually tunneling into my VPN at Cisco using XAUTH with NT domain authentication. Using this configuration, I've just successfully changed my NT domain password on the corporate net. Please let me know if you can think of problems with other types of authentication systems in which this would not be possible. Regards, Stephane. > > Thanks again for your advise. > > Leemay Yen > RapidStream, Inc. > > From owner-ietf-xauth Wed Nov 1 18:33:56 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id SAA16929 for ietf-xauth-bks; Wed, 1 Nov 2000 18:33:56 -0800 (PST) Received: from corvus.netcenter ([205.178.117.162]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA16924 for ; Wed, 1 Nov 2000 18:33:55 -0800 (PST) Received: by email.rapidstream.com with Internet Mail Service (5.5.2650.21) id ; Wed, 1 Nov 2000 18:39:43 -0800 Message-ID: <5F235E8F67EAD311993200D0B708A6D85AB8AF@email.rapidstream.com> From: Leemay Yen To: "'Stephane Beaulieu'" , ietf-xauth@vpnc.org Cc: Leemay Yen Subject: RE: Xauth Transaction Identifier Date: Wed, 1 Nov 2000 18:39:36 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Stephane: Thanks for your answers. To follow up your suggestions for the change password support. Yes, I do think there might be some cases that client couldn't use the regular LAN traffic/protocol to change their passwords if they want to. For example, if the edge device does maintain its own authentication database or some RADIUS server does support password change but rely on the edge device to pass on the requests. Then there is a need to create such mechanism in xauth to do so. In your new draft, XAUTH_ANSWER is very specific to SecurID support. If we can relax the limitation, we may be able to allow the client to initiate the password change request. For example, Client <--> GW <-- REQ (Username = '', pwd = '') REPLY (Username = 'joe', pwd = 'mypwd') --> <-- REQ (answer = '', msg = 'Your password is about to expire, do you want to change your password ?") REPLY (answer = 'y') --> <<< passowrd change details...>>> <-- SET (OK) ACK() --> Or we could simply have another attribute "XAUTH_PASSWORD_CHANGE" to allow client to initiate the action. Just try to throw some ideas and point out the need for such features. Not sure if any other vendors have also thought about this ? Thanks. Leemay > In addition, have you thought about how to support "password change", which > can be initiated by the end host or even the edge device ? I would suggest the following for something initiated by the edge device. Client <--> GW <-- REQ (Username = '', pwd = '') REPLY (Username = 'joe', pwd = 'mypwd') --> <-- REQ (pwd = '', msg = 'Your password has expired, please enter a new password') REPLY (pwd = 'mynewpwd') --> <-- SET (OK) ACK() --> As for the Client side initiated change of password. I would presume that in systems that allow this, it could be done by the Client at any time after the tunnel comes up. For example, I'm actually tunneling into my VPN at Cisco using XAUTH with NT domain authentication. Using this configuration, I've just successfully changed my NT domain password on the corporate net. Please let me know if you can think of problems with other types of authentication systems in which this would not be possible. Regards, Stephane. > > Thanks again for your advise. > > Leemay Yen > RapidStream, Inc. > > From owner-ietf-xauth Thu Nov 2 06:39:57 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA13880 for ietf-xauth-bks; Thu, 2 Nov 2000 06:39:57 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA13874 for ; Thu, 2 Nov 2000 06:39:56 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA23249; Thu, 2 Nov 2000 06:45:52 -0800 (PST) Received: from stephanent (kan2-dhcp-161-44-214-158.cisco.com [161.44.214.158]) by toque.cisco.com (Mirapoint) with SMTP id AAG12096; Thu, 2 Nov 2000 09:45:49 -0500 (EST) Message-ID: <006f01c044db$d1dfb700$9ed62ca1@cisco.com> From: "Stephane Beaulieu" To: "Leemay Yen" , Cc: "Leemay Yen" References: <5F235E8F67EAD311993200D0B708A6D85AB8AF@email.rapidstream.com> Subject: Re: Xauth Transaction Identifier Date: Thu, 2 Nov 2000 09:47:27 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Leemay, > > In your new draft, XAUTH_ANSWER is very specific to > SecurID support. If we can relax the limitation, we > may be able to allow the client to initiate the password > change request. For example, XAUTH_ANSWER is not meant to be SecurID specific at all. Though I suppose it is the only example that I gave of it. > > Client <--> GW > <-- REQ (Username = '', pwd = '') > REPLY (Username = 'joe', pwd = 'mypwd') --> > <-- REQ (answer = '', msg = 'Your password is about > to expire, do you want to change your password ?") > REPLY (answer = 'y') --> > <<< passowrd change details...>>> > <-- SET (OK) > ACK() --> > What you've outlined here does work. The section you left empty (i.e. <>) would simply be replaced by <-- REQ (pwd = '', msg = 'Enter your new password') REPLY (pwd = 'mynewestpwd') --> Though in the case you've outlined, the password change is still more or less initiated by the edge device, though it leaves the option to the user whether or not he/she wishes to refuse to change their password. > Or we could simply have another attribute "XAUTH_PASSWORD_CHANGE" > to allow client to initiate the action. Do you still think this might be required given my comments above? Thanks for your input, Stephane. From owner-ietf-xauth Thu Nov 16 03:50:00 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id DAA06946 for ietf-xauth-bks; Thu, 16 Nov 2000 03:50:00 -0800 (PST) Received: from venus.roc.com ([203.197.20.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA06848 for ; Thu, 16 Nov 2000 03:49:39 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id FAA01399 for ; Thu, 16 Nov 2000 05:31:20 +0530 Message-Id: <200011160001.FAA01399@venus.roc.com> X-Sender: vamsi@172.16.1.10 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Thu, 16 Nov 2000 17:21:27 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: question Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:
Hi,
In  'Extended Authentication with in IKE(XAUTH) '   is it mandatory  to support  the  IKECFG 
configuration  attributes?
   regards
       vamsi



**************************************************************
Wealth is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Nothing is lost
Health is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Something is lost
Character is lost=A0=A0=A0=A0=A0 Everything is lost

**************************************************************** From owner-ietf-xauth Thu Nov 16 06:11:12 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA20314 for ietf-xauth-bks; Thu, 16 Nov 2000 06:11:12 -0800 (PST) Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA20302 for ; Thu, 16 Nov 2000 06:11:09 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id GAA10373; Thu, 16 Nov 2000 06:17:44 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-131.cisco.com [161.44.214.131]) by toque.cisco.com (Mirapoint) with SMTP id AAI14406; Thu, 16 Nov 2000 09:17:41 -0500 (EST) Message-ID: <04e301c04fd8$382c2000$83d62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" References: <200011160001.FAA01399@venus.roc.com> Subject: Re: question Date: Thu, 16 Nov 2000 09:19:23 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_04E0_01C04FAE.4F4B69A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_04E0_01C04FAE.4F4B69A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable No. ----- Original Message -----=20 From: vamsi=20 To: ietf-xauth@vpnc.org=20 Sent: Thursday, November 16, 2000 6:51 AM Subject: question Hi, In 'Extended Authentication with in IKE(XAUTH) ' is it mandatory = to support the IKECFG =20 configuration attributes? regards vamsi=20 ************************************************************** Wealth is lost Nothing is lost Health is lost Something is lost Character is lost Everything is lost=20 ****************************************************************=20 ------=_NextPart_000_04E0_01C04FAE.4F4B69A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
No.
----- Original Message -----
From:=20 vamsi=20
Sent: Thursday, November 16, = 2000 6:51=20 AM
Subject: question

Hi,
In  'Extended Authentication with in IKE(XAUTH) = '   is it=20 mandatory  to support  the  IKECFG 
configuration  attributes?
   regards
       = vamsi=20 =



***************************************************= ***********
Wealth=20 is = lost           =20 Nothing is lost
Health is=20 lost            = Something is lost
Character is lost     =20 Everything is lost=20 =

**************************************************************** = ------=_NextPart_000_04E0_01C04FAE.4F4B69A0-- From owner-ietf-xauth Tue Nov 21 02:39:01 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id CAA24239 for ietf-xauth-bks; Tue, 21 Nov 2000 02:39:01 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA24183 for ; Tue, 21 Nov 2000 02:38:45 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id EAA08297 for ; Tue, 21 Nov 2000 04:16:32 +0530 Message-Id: <200011202246.EAA08297@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 21 Nov 2000 16:06:18 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: vendor id Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:
Hi,

   In  the  draft of   ' Extended Authentication within IKE (XAUTH)' it is written as

"   In order to ensure interoperability with
   future and past implementations of XAUTH a Vendor ID has been added.
   The Vendor ID payload is sent during the phase 1 exchange as per
   [ISAKMP].  The vendor id payload SHOULD be authenticated whenever
   possible.  "

  
   My  question  is  in which message  of  phase 1   exchange should  'vendor ID payload'  is  sent ?
  If the  phase 1  is in Main mode  then   in which message and if  it is Agressive Mode  then in which
message?

bye



**************************************************************
Wealth is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Nothing is lost
Health is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Something is lost
Character is lost=A0=A0=A0=A0=A0 Everything is lost

**************************************************************** From owner-ietf-xauth Tue Nov 21 02:55:49 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id CAA26797 for ietf-xauth-bks; Tue, 21 Nov 2000 02:55:49 -0800 (PST) Received: from ns01.newbridge.com (ns01.newbridge.com [192.75.23.67]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA26793 for ; Tue, 21 Nov 2000 02:55:48 -0800 (PST) Received: (from smtpd@localhost) by ns01.newbridge.com (8.9.2/8.9.2) id FAA21066 for ; Tue, 21 Nov 2000 05:48:24 -0500 (EST) Received: from portal1.newbridge.com(192.75.23.76), claiming to be "kanata-mh1.ca.newbridge.com" via SMTP by ns01.newbridge.com, id smtpdAAA0c1wCW; Tue Nov 21 05:48:21 2000 Received: from kanmail02.ca.newbridge.com by kanata-mh1.ca.newbridge.com with ESMTP for ietf-xauth@vpnc.org; Tue, 21 Nov 2000 05:54:28 -0500 Received: from andrewk3 ([138.120.114.30]) by kanmail02.ca.newbridge.com (Netscape Messaging Server 3.6) with ESMTP id AAAF52; Tue, 21 Nov 2000 05:54:28 -0500 Reply-To: From: "Andrew Krywaniuk" To: "'vamsi'" , Subject: RE: vendor id Date: Tue, 21 Nov 2000 05:46:46 -0500 Message-Id: <004501c053a8$5a60ac30$1e72788a@andrewk3.ca.alcatel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-Reply-To: <200011202246.EAA08297@venus.roc.com> Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Vamsi, When to send vendor ids is not documented anywhere in the RFCs (not even in the expired extension methods draft). For simplicity's sake, I would recommend sending all vendor ids in the first two messages of the exchange. You will get better interoperability that way. Also, the XAuth draft tells you to include a private attribute within the SA payload, which is always sent in the first two messages of the exchange. If you don't send the vendor id immediately then the peer won't know how to interpret that attribute. Andrew -------------------------------------- Beauty with out truth is insubstantial. Truth without beauty is unbearable. -----Original Message----- From: owner-ietf-xauth@mail.vpnc.org [mailto:owner-ietf-xauth@mail.vpnc.org]On Behalf Of vamsi Sent: Tuesday, November 21, 2000 5:36 AM To: ietf-xauth@vpnc.org Subject: vendor id Hi, In the draft of ' Extended Authentication within IKE (XAUTH)' it is written as " In order to ensure interoperability with future and past implementations of XAUTH a Vendor ID has been added. The Vendor ID payload is sent during the phase 1 exchange as per [ISAKMP]. The vendor id payload SHOULD be authenticated whenever possible. " My question is in which message of phase 1 exchange should 'vendor ID payload' is sent ? If the phase 1 is in Main mode then in which message and if it is Agressive Mode then in which message? bye ************************************************************** Wealth is lost Nothing is lost Health is lost Something is lost Character is lost Everything is lost **************************************************************** From owner-ietf-xauth Tue Nov 21 16:50:25 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id QAA07908 for ietf-xauth-bks; Tue, 21 Nov 2000 16:50:25 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA07902 for ; Tue, 21 Nov 2000 16:50:22 -0800 (PST) Received: from cyphers.net ([64.220.173.131]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G4EL4E00.J1Z for ; Tue, 21 Nov 2000 17:50:38 -0800 Message-ID: <3A1B187F.44225C3C@cyphers.net> Date: Tue, 21 Nov 2000 16:51:11 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: List of vendors shipping XAuth Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: One of the stumbling blocks in trying to ship XAuth support has been the lack of information regarding shipping XAuth products. Is there any existing compilation of such information? We'd like to test our implementation against at least 3 three shipping or near shipping implementations within the next 3 weeks (ie we're shipping it real soon.) If there is not, I would volunteer to collect the information. I'd like to keep it simple like: Product Name Version Company XAuth Version Send xauth vendor ID (5 or 6?) Understand xauth vendor ID? Minimum XAuth version supported Maximum XAuth version supported Gateway or client Date shipping since or date expected to ship -- Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Tue Nov 21 16:52:04 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id QAA07954 for ietf-xauth-bks; Tue, 21 Nov 2000 16:52:04 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA07947 for ; Tue, 21 Nov 2000 16:52:03 -0800 (PST) Received: from cyphers.net ([64.220.173.131]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G4EL7700.91T for ; Tue, 21 Nov 2000 17:52:19 -0800 Message-ID: <3A1B18E5.30DEB01E@cyphers.net> Date: Tue, 21 Nov 2000 16:52:53 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: Re: List of vendors shipping XAuth References: <3A1B187F.44225C3C@cyphers.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Sorry, sent that half baked. One more question: Supports hybrid auth extensions? I imagine people would appreciate if all responses were sent directly to me with the title "XAUTH DATA" and I will collate and repost to this list. Will Price wrote: > > One of the stumbling blocks in trying to ship XAuth support has been the > lack of information regarding shipping XAuth products. Is there any > existing compilation of such information? We'd like to test our > implementation against at least 3 three shipping or near shipping > implementations within the next 3 weeks (ie we're shipping it real soon.) > > If there is not, I would volunteer to collect the information. I'd like to > keep it simple like: > > Product Name > Version > Company > XAuth Version > Send xauth vendor ID (5 or 6?) > Understand xauth vendor ID? > Minimum XAuth version supported > Maximum XAuth version supported > Gateway or client > Date shipping since or date expected to ship > > -- > > Will Price, Director of Engineering > PGP Security, Inc. > a division of Network Associates, Inc. -- Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Wed Nov 22 06:17:56 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA03400 for ietf-xauth-bks; Wed, 22 Nov 2000 06:17:56 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA03392 for ; Wed, 22 Nov 2000 06:17:54 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAB16240; Wed, 22 Nov 2000 06:18:24 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-131.cisco.com [161.44.214.131]) by toque.cisco.com (Mirapoint) with SMTP id AAL22195; Wed, 22 Nov 2000 09:18:18 -0500 (EST) Message-ID: <0fed01c0548f$4cf0cd40$83d62ca1@cisco.com> From: "Stephane Beaulieu" To: , References: <3A1B187F.44225C3C@cyphers.net> <3A1B18E5.30DEB01E@cyphers.net> Subject: Re: List of vendors shipping XAuth Date: Wed, 22 Nov 2000 09:20:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hey Will, Great idea. XAUTH has been around for about 2-3 years now. I haven't seen any major issues with it in the last year (other than backwards compatibility issues with the older versions). The idea of this mailing list was to have a forum to discuss technical roadblocks. So far, I haven't seen any. If we can gather this kind of data, it will help move the draft to RFC Informational, and then we can all move on (and interoperate, of course ). Stephane. ----- Original Message ----- From: "Will Price" To: Sent: Tuesday, November 21, 2000 7:52 PM Subject: Re: List of vendors shipping XAuth > Sorry, sent that half baked. One more question: > > Supports hybrid auth extensions? > > I imagine people would appreciate if all responses were sent directly to > me with the title "XAUTH DATA" and I will collate and repost to this list. > > > Will Price wrote: > > > > One of the stumbling blocks in trying to ship XAuth support has been the > > lack of information regarding shipping XAuth products. Is there any > > existing compilation of such information? We'd like to test our > > implementation against at least 3 three shipping or near shipping > > implementations within the next 3 weeks (ie we're shipping it real soon.) > > > > If there is not, I would volunteer to collect the information. I'd like to > > keep it simple like: > > > > Product Name > > Version > > Company > > XAuth Version > > Send xauth vendor ID (5 or 6?) > > Understand xauth vendor ID? > > Minimum XAuth version supported > > Maximum XAuth version supported > > Gateway or client > > Date shipping since or date expected to ship > > > > -- > > > > Will Price, Director of Engineering > > PGP Security, Inc. > > a division of Network Associates, Inc. > > -- > > Will Price, Director of Engineering > PGP Security, Inc. > a division of Network Associates, Inc. From owner-ietf-xauth Mon Nov 27 23:10:02 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id XAA24454 for ietf-xauth-bks; Mon, 27 Nov 2000 23:10:02 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA24294 for ; Mon, 27 Nov 2000 23:09:38 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id AAA08263 for ; Tue, 28 Nov 2000 00:48:05 +0530 Message-Id: <200011271918.AAA08263@venus.roc.com> X-Sender: vamsi@intotoinc.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 28 Nov 2000 12:37:10 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: notify remote device about Xauth Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:
Hi,
It is neccessary  that edge device should  inform the   remote device  that Xauth follows once after completing the phase 1 exchange . (this is what they specified in Xauth draft)
We are any how  exchanging the vendor Id payload in the first two messages of phase 1   which is
sufficient   to notify a remote device  that 'Xauth ' follows   once after completion  of  Phase 1 exchanges.
In the Xauth draft  they specified two methods to notify the remote device  about Xauth :
1)Notification payloads with in Phase 1 exchange.
2)Notification  via Authentication Type.

My question is why    to  use    above two methods    even  though we already have  'Vendor ID ' option to notify  the remote host about  'Xauth'  ?
Which  method is more justified  to notify the remote device about Xauth  either by using 'Vendor Id' or 'Notification payload ' or  'Notification via Authentication types' ?

bye






**************************************************************
Wealth is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Nothing is lost
Health is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Something is lost
Character is lost=A0=A0=A0=A0=A0 Everything is lost

**************************************************************** From owner-ietf-xauth Tue Nov 28 06:48:28 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA03583 for ietf-xauth-bks; Tue, 28 Nov 2000 06:48:28 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA03579 for ; Tue, 28 Nov 2000 06:48:27 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA21234; Tue, 28 Nov 2000 06:48:57 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-131.cisco.com [161.44.214.131]) by toque.cisco.com (Mirapoint) with SMTP id AAN13200; Tue, 28 Nov 2000 09:48:50 -0500 (EST) Message-ID: <185e01c0594a$9091f370$83d62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" References: <200011271918.AAA08263@venus.roc.com> Subject: Re: notify remote device about Xauth Date: Tue, 28 Nov 2000 09:50:35 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_185B_01C05920.A79EED90" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_185B_01C05920.A79EED90 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, 1) The Vendor ID payload says "I know how to speak XAUTH". It doesn't = say "We must do XAUTH". 2) The Vendor ID payload is not authenticated. To have successful interop, you'll have to use both Vendor ID and = Notification via Authentication Method Types. ----- Original Message -----=20 From: vamsi=20 To: ietf-xauth@vpnc.org=20 Sent: Tuesday, November 28, 2000 2:07 AM Subject: notify remote device about Xauth Hi, It is neccessary that edge device should inform the remote device = that Xauth follows once after completing the phase 1 exchange . (this is = what they specified in Xauth draft) We are any how exchanging the vendor Id payload in the first two = messages of phase 1 which is=20 sufficient to notify a remote device that 'Xauth ' follows once = after completion of Phase 1 exchanges. In the Xauth draft they specified two methods to notify the remote = device about Xauth : 1)Notification payloads with in Phase 1 exchange. 2)Notification via Authentication Type. My question is why to use above two methods even though we = already have 'Vendor ID ' option to notify the remote host about = 'Xauth' ? Which method is more justified to notify the remote device about = Xauth either by using 'Vendor Id' or 'Notification payload ' or = 'Notification via Authentication types' ? bye ************************************************************** Wealth is lost Nothing is lost Health is lost Something is lost Character is lost Everything is lost=20 ****************************************************************=20 ------=_NextPart_000_185B_01C05920.A79EED90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
 
1) The Vendor ID payload says = "I know how to=20 speak XAUTH".  It doesn't say "We must do XAUTH".
 
2) The Vendor ID payload is not=20 authenticated.
 
To have successful interop, you'll have = to use both=20 Vendor ID and Notification via Authentication Method Types.
 
----- Original Message -----
From:=20 vamsi=20
Sent: Tuesday, November 28, = 2000 2:07=20 AM
Subject: notify remote device = about=20 Xauth

Hi,
It is neccessary  that edge device should  inform=20 the   remote device  that Xauth follows once after = completing=20 the phase 1 exchange . (this is what they specified in Xauth = draft)
We are any how  exchanging the vendor Id payload in the = first two=20 messages of phase 1   which is
sufficient   to notify a remote device  that = 'Xauth '=20 follows   once after completion  of  Phase 1=20 exchanges.
In the Xauth draft  they specified two methods to notify the = remote=20 device  about Xauth :
1)Notification payloads with in Phase 1 exchange.
2)Notification  via Authentication Type.

My question is why    to  = use    above=20 two methods    even  though we already have  = 'Vendor=20 ID ' option to notify  the remote host about  'Xauth'  = ?
Which  method is more justified  to notify the remote = device=20 about Xauth  either by using 'Vendor Id' or 'Notification payload = '=20 or  'Notification via Authentication types' ?

=
bye






*****************************= *********************************
Wealth=20 is = lost           =20 Nothing is lost
Health is=20 lost            = Something is lost
Character is lost     =20 Everything is lost=20 =

**************************************************************** = ------=_NextPart_000_185B_01C05920.A79EED90-- From owner-ietf-xauth Wed Nov 29 23:17:49 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id XAA05088 for ietf-xauth-bks; Wed, 29 Nov 2000 23:17:49 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA05068 for ; Wed, 29 Nov 2000 23:17:42 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id AAA11561 for ; Thu, 30 Nov 2000 00:56:37 +0530 Message-Id: <200011291926.AAA11561@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Thu, 30 Nov 2000 12:45:23 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: missing ACK message Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:
Hi,
The following is the  general  Xauth transaction

IPSec Host            =             &nbs= p;            &n= bsp;        Edge Device
   --------------          &n= bsp;            =              -----------------
            = ;            &nb= sp;            &= nbsp; <-- REQUEST
   REPLY -->
            = ;            &nb= sp;            &= nbsp;            = ;  <-- SET
   ACK -->

Xauth draft of section 5  says  :

  " The Extended Authentication transaction is terminated either when
   the edge device starts a SET/ACK exchange which includes an
   XAUTH_STATUS attribute or when the remote device sends a
   XAUTH_STATUS attribute in a REPLY message.  Please note that a
   remote device can not set XAUTH_STATUS to anything but FAIL."


1)   Xauth  transaction  is terminated  when    the edge device starts a SET/ACK  exchange  ,is that termination  once after starting  or the completion of SET/ACK exchange?

2)Should edge device  wait for 'ACK' message  from the IpsecHost?
3)What happens if  by any chance that edge device  will not recive the 'Ack' message from the remote device(Ipsec Host)? 

bye





**************************************************************
Wealth is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Nothing is lost
Health is lost=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Something is lost
Character is lost=A0=A0=A0=A0=A0 Everything is lost

**************************************************************** From owner-ietf-xauth Thu Nov 30 06:33:45 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id GAA15466 for ietf-xauth-bks; Thu, 30 Nov 2000 06:33:45 -0800 (PST) Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.43.88]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA15462 for ; Thu, 30 Nov 2000 06:33:43 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-2.cisco.com (8.9.3/8.9.1) with ESMTP id GAA13034; Thu, 30 Nov 2000 06:34:18 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-131.cisco.com [161.44.214.131]) by toque.cisco.com (Mirapoint) with SMTP id AAN31741; Thu, 30 Nov 2000 09:34:14 -0500 (EST) Message-ID: <1f6101c05ada$dbaaad20$83d62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" References: <200011291926.AAA11561@venus.roc.com> Subject: Re: missing ACK message Date: Thu, 30 Nov 2000 09:35:59 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_1F5E_01C05AB0.F2CB7D60" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_1F5E_01C05AB0.F2CB7D60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable You've really got 2 options. 1 - Wait for the ACK, but don't let your state machine advance, and have = a timer that cleans everything up if the ACK never comes. You may even = want to retransmit your SET(STATUS=3DFAIL) 2 - Delete the phase 1 SA right away, and send a DELETE notify. If the = ACK comes, you'll ignore it because you won't recognize the cookies. Option #1 is a little more polite since the SET(STATUS=3DFAIL) may of = had gotten lost in transit, and the peer doesn't know what's going on if = he didn't receive the SET. If you retransmit the SET (when you haven't = received an ACK), then there's a better chance to make sure that the = Remote Access Client knows why the connection is being torn down, and = can notify the User. It's also a little bit more complex to implement. Option #2 will work just as good in most cases. It will clean up = rejected connections faster. It will also cause some "INVALID-COOKIE" = events, which most likely will end up in your logs. Stephane. ----- Original Message -----=20 From: vamsi=20 To: ietf-xauth@vpnc.org=20 Sent: Thursday, November 30, 2000 2:15 AM Subject: missing ACK message Hi, The following is the general Xauth transaction IPSec Host Edge Device -------------- ----------------- <-- REQUEST REPLY --> <-- SET ACK --> Xauth draft of section 5 says : " The Extended Authentication transaction is terminated either when the edge device starts a SET/ACK exchange which includes an XAUTH_STATUS attribute or when the remote device sends a XAUTH_STATUS attribute in a REPLY message. Please note that a remote device can not set XAUTH_STATUS to anything but FAIL." 1) Xauth transaction is terminated when the edge device starts = a SET/ACK exchange ,is that termination once after starting or the = completion of SET/ACK exchange? 2)Should edge device wait for 'ACK' message from the IpsecHost? 3)What happens if by any chance that edge device will not recive the = 'Ack' message from the remote device(Ipsec Host)? =20 bye ************************************************************** Wealth is lost Nothing is lost Health is lost Something is lost Character is lost Everything is lost=20 ****************************************************************=20 ------=_NextPart_000_1F5E_01C05AB0.F2CB7D60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
You've really got 2 = options.
 
1 - Wait for the ACK, but don't let = your state=20 machine advance, and have a timer that cleans everything up if the ACK = never=20 comes.  You may even want to retransmit your = SET(STATUS=3DFAIL)
 
2 - Delete the phase 1 SA right away, = and send a=20 DELETE notify.  If the ACK comes, you'll ignore it because you = won't=20 recognize the cookies.
 
Option #1 is a little more polite since = the=20 SET(STATUS=3DFAIL) may of had gotten lost in transit, and the peer = doesn't know=20 what's going on if=20 he didn't receive the SET.  If you retransmit the SET (when you = haven't=20 received an ACK), then there's a better chance to make sure that the = Remote=20 Access Client knows why the connection is being torn down, and can = notify the=20 User.  It's also a little bit more complex to = implement.
 
Option #2 will work just as good in = most=20 cases.  It will clean up rejected connections faster.  It will = also=20 cause some "INVALID-COOKIE" events, which most likely will end up in = your=20 logs.
 
Stephane.
----- Original Message -----
From:=20 vamsi=20
Sent: Thursday, November 30, = 2000 2:15=20 AM
Subject: missing ACK = message

Hi,
The following is the  general  Xauth = transaction

IPSec=20 = Host           &nb= sp;           &nbs= p;            = ;         =20 Edge Device
  =20 = --------------          = ;            =             &= nbsp;=20 -----------------
=
           &n= bsp;           &nb= sp;           &nbs= p;  =20 <-- REQUEST
   REPLY -->
=
           &n= bsp;           &nb= sp;           &nbs= p;            = ;   =20 <-- SET
   ACK -->

Xauth draft of section 5  says  :

  " The Extended Authentication transaction is terminated = either=20 when
   the edge device starts a SET/ACK exchange which = includes=20 an
   XAUTH_STATUS attribute or when the remote device = sends=20 a
   XAUTH_STATUS attribute in a REPLY message.  = Please note=20 that a
   remote device can not set XAUTH_STATUS to anything = but=20 FAIL."


1)   Xauth  transaction  is terminated =20 when    the edge device starts a SET/ACK  = exchange =20 ,is that termination  once after starting  or the completion = of=20 SET/ACK exchange?

2)Should edge device  wait for 'ACK' message  from the=20 IpsecHost?
3)What happens if  by any chance that edge device  will = not=20 recive the 'Ack' message from the remote device(Ipsec Host)?  =

=
bye





*********************************= *****************************
Wealth=20 is = lost           =20 Nothing is lost
Health is=20 lost            = Something is lost
Character is lost     =20 Everything is lost=20 =

**************************************************************** = ------=_NextPart_000_1F5E_01C05AB0.F2CB7D60-- From owner-ietf-xauth Mon Dec 4 04:01:09 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id EAA08448 for ietf-xauth-bks; Mon, 4 Dec 2000 04:01:09 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA08389 for ; Mon, 4 Dec 2000 03:59:37 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id FAA04659 for ; Mon, 4 Dec 2000 05:38:35 +0530 Message-Id: X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Mon, 04 Dec 2000 17:27:37 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: identifying the second request Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id EAA08445 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, In section 5 of Xauth Draft "Some mechanisms allow for another optional request of the passcode. IPSec Host Edge Device -------------- ----------------- <-- REQUEST(NAME="" PASSWORD="" PASSCODE="") REPLY(NAME="joe" PASSWORD="foobar" PASSCODE="323415") --> <-- REQUEST(NAME="" PASSWORD="" PASSCODE="") REPLY(NAME="joe" PASSWORD="foobar" PASSCODE="513212") --> <-- SET(STATUS=OK) ACK(STATUS) --> " 1)How ipsec host comes to know that one more request follows after the first request? ( here first request means "<-- REQUEST(NAME="" PASSWORD="" PASSCODE="")" and second request means request message from edge device in response to the reply message from ipsec host " <-- REQUEST(NAME="" PASSWORD="" PASSCODE="")" ) 2)Where I can get more information regarding SDI architecture? bye ************************************************************** Wealth is lost            Nothing is lost Health is lost            Something is lost Character is lost      Everything is lost **************************************************************** From owner-ietf-xauth Thu Dec 7 16:34:31 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id QAA06380 for ietf-xauth-bks; Thu, 7 Dec 2000 16:34:31 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA06376 for ; Thu, 7 Dec 2000 16:34:30 -0800 (PST) Received: from cyphers.net ([161.69.248.229]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G5870J00.Q5B for ; Thu, 7 Dec 2000 17:33:55 -0800 Message-ID: <3A302D1B.94C52A9F@cyphers.net> Date: Thu, 07 Dec 2000 16:36:41 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: CHAP XAuth draft contradiction? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Line 1167 of draft 00 says the RADIUS CHAP hash should proceed as: "(ID+challenge+secret)" Line 408 of RFC 2138 (RADIUS) says that hash should proceed as: ID+secret+challenge. We used the interpreation from the XAuth draft, but one of the vendors we're testing with used the second interpretation. I have changed our implementation to use RFC 2138's method, but this should probably be clarified. -- Will Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Thu Dec 7 16:34:24 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id QAA06372 for ietf-xauth-bks; Thu, 7 Dec 2000 16:34:24 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA06366; Thu, 7 Dec 2000 16:34:22 -0800 (PST) Received: from cyphers.net ([161.69.248.229]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G5870B00.356; Thu, 7 Dec 2000 17:33:47 -0800 Message-ID: <3A302D14.EEA97DF@cyphers.net> Date: Thu, 07 Dec 2000 16:36:33 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org, ietf-ipsra@vpnc.org Subject: Call for implementation list XAuth Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a repeat of my prior message to collect data on all xauth implementations. I have received a number of responses, but I'm certain there are many more. Please send a reply to this message titled "XAUTH DATA" with your response to the questions below. I will collate the information and post it back to the xauth list: Product Name Version Company XAuth Version Send xauth vendor ID (5 or 6?) Understand xauth vendor ID? Minimum XAuth version supported Maximum XAuth version supported Gateway or client Date shipping since or date expected to ship Supports hybrid auth extensions? Thanks! -- Will Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Wed Dec 20 01:07:08 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id BAA07450 for ietf-xauth-bks; Wed, 20 Dec 2000 01:07:08 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA07287 for ; Wed, 20 Dec 2000 01:06:10 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id CAA02936 for ; Wed, 20 Dec 2000 02:46:47 +0530 Message-Id: <200012192116.CAA02936@venus.roc.com> X-Sender: vamsi@172.16.1.10 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Wed, 20 Dec 2000 14:34:52 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: Encryption bit of Isakmp header Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id BAA07447 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, The following is the Isakmp Header 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Initiator ! ! Cookie ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Responder ! ! Cookie ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Message ID ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I am enabling the encryption bit of the 'Flags' field in the Isakmp Header during the 'Transaction exchange' for Xauth, when we require the protected exchanges.(This is what I am doing in my implemetation) My doubt is,by just enabling the Encryption bit in the 'flags ' field of Isakmp header would fullfill our requirement or else what about the other bits like 'Commit bit' and 'Authentication bit'.? bye ************************************************************** Wealth is lost            Nothing is lost Health is lost            Something is lost Character is lost      Everything is lost **************************************************************** From owner-ietf-xauth Tue Dec 26 04:01:31 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id EAA09098 for ietf-xauth-bks; Tue, 26 Dec 2000 04:01:31 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA09056 for ; Tue, 26 Dec 2000 04:00:48 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id FAA09763; Tue, 26 Dec 2000 05:42:04 +0530 Message-Id: <200012260012.FAA09763@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 26 Dec 2000 17:29:19 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: Transaction Exchange Packet Format Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id EAA09095 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I am assuming the Xauth Transaction exchange packet format is as follows. ________________________________ | | | Isakmp Header | ________________________________ | | | Hash Payload | ________________________________ | | | Attribute Payload | ________________________________ Please clarify me whether my assumption is correct or not. bye ************************************************************** Wealth is lost            Nothing is lost Health is lost            Something is lost Character is lost      Everything is lost **************************************************************** From owner-ietf-xauth Thu Dec 28 12:30:50 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id MAA28531 for ietf-xauth-bks; Thu, 28 Dec 2000 12:30:50 -0800 (PST) Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA28527 for ; Thu, 28 Dec 2000 12:30:48 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id MAA24317; Thu, 28 Dec 2000 12:33:46 -0800 (PST) Received: from stephanent3 (kan-dial-117.cisco.com [10.88.15.117]) by toque.cisco.com (Mirapoint) with SMTP id AAO09351; Thu, 28 Dec 2000 15:33:34 -0500 (EST) Message-ID: <00a801c0710d$b22d4a40$750f580a@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" References: <200012260012.FAA09763@venus.roc.com> Subject: Re: Transaction Exchange Packet Format Date: Thu, 28 Dec 2000 15:27:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: yes ----- Original Message ----- From: "vamsi" To: Sent: Tuesday, December 26, 2000 6:59 AM Subject: Transaction Exchange Packet Format > Hi, > > I am assuming the Xauth Transaction exchange packet format is as follows. > ________________________________ > | > | > | Isakmp Header | > ________________________________ > | > | > | Hash Payload | > ________________________________ > | > | > | Attribute Payload | > ________________________________ > > Please clarify me whether my assumption is correct or not. > > bye > > > > ************************************************************** > Wealth is lost Nothing is lost > Health is lost Something is lost > Character is lost Everything is lost > > **************************************************************** From owner-ietf-xauth Thu Dec 28 21:22:18 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id VAA14768 for ietf-xauth-bks; Thu, 28 Dec 2000 21:22:18 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA14758 for ; Thu, 28 Dec 2000 21:22:12 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id XAA01807; Thu, 28 Dec 2000 23:03:52 +0530 Message-Id: <200012281733.XAA01807@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Fri, 29 Dec 2000 10:51:30 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: intialisation vector Cc: raghava@brahma.roc.com, srao@brahma.roc.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id VAA14764 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, Should we use the Intialisation vector of phase1 exchange or else should we produce fresh intialisation vector for the Xauth protected Transaction exchanges? bye ************************************************************** Wealth is lost            Nothing is lost Health is lost            Something is lost Character is lost      Everything is lost **************************************************************** From owner-ietf-xauth Sat Dec 30 08:26:45 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA29129 for ietf-xauth-bks; Sat, 30 Dec 2000 08:26:45 -0800 (PST) Received: from dfmail.f-secure.com (dfmail.f-secure.com [194.252.6.39]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA29117 for ; Sat, 30 Dec 2000 08:26:42 -0800 (PST) Received: (qmail 31871 invoked by uid 0); 30 Dec 2000 16:30:48 -0000 Received: from fsav4im2.f-secure.com (HELO fsav4im2) (194.197.29.47) by dfmail.f-secure.com with SMTP; 30 Dec 2000 16:30:48 -0000 Received: from dfintra.f-secure.com ([194.197.29.8]:2827) (HELO dfintra.f-secure.com) by fsav4im2 ([194.197.29.47]:25) (F-Secure Anti-Virus for Internet Mail 5.0.53 Release) with SMTP; Sat, 30 Dec 2000 16:30:41 -0000 Received: (qmail 2601 invoked from network); 30 Dec 2000 16:30:47 -0000 Received: from info.f-secure.com (HELO F-Secure.com) (194.197.29.11) by dfintra.f-secure.com with SMTP; 30 Dec 2000 16:30:47 -0000 Message-ID: <3A4E0E26.CE6CCC5E@F-Secure.com> Date: Sat, 30 Dec 2000 18:32:38 +0200 From: Ari Huttunen Organization: F-Secure Corporation X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: X-auth attribute formats? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Is it the understanding that XAUTH-USER-NAME, XAUTH-USER-PASSWORD, etc. attributes MUST be null-terminated? XAUTH-CHALLENGE would *NOT* be NULL terminated? Similarly, MUST User-Name and User-Password be NULL terminated when sent to/from a RADIUS server? Ari -- Ari Huttunen phone: +358 9 2520 0700 Senior Software Engineer fax : +358 9 2520 5001 F-Secure Corporation http://www.F-Secure.com F-Secure products: Integrated Solutions for Enterprise Security From owner-ietf-xauth Sat Dec 30 11:09:57 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA09096 for ietf-xauth-bks; Sat, 30 Dec 2000 11:09:57 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA09092 for ; Sat, 30 Dec 2000 11:09:55 -0800 (PST) Received: from cyphers.net ([64.220.173.157]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G6EDHI00.I06; Sat, 30 Dec 2000 12:12:54 -0800 Message-ID: <3A4E33FD.C83FDA2@cyphers.net> Date: Sat, 30 Dec 2000 11:14:05 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Ari Huttunen CC: ietf-xauth@vpnc.org Subject: Re: X-auth attribute formats? References: <3A4E0E26.CE6CCC5E@F-Secure.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ari Huttunen wrote: > > Is it the understanding that XAUTH-USER-NAME, XAUTH-USER-PASSWORD, etc. > attributes MUST be null-terminated? XAUTH-CHALLENGE would *NOT* be > NULL terminated? Where are you getting the idea that any of them should be null terminated? I don't think any of them should, and I don't see it in the draft either. The attribute includes a size, so there is no need to null terminate. One early mistake I made was actually converting the challenge to an ASCII hex string like "0x0A0B0C" because that's what it looked like in the draft and it says "variable ASCII". Silly me. The challenge is a series of binary bytes. Again though, no null termination. > Similarly, MUST User-Name and User-Password be NULL terminated when > sent to/from a RADIUS server? That I don't know. -- Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. From owner-ietf-xauth Tue Jan 2 06:05:21 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA25145 for ietf-xauth-bks; Tue, 2 Jan 2001 06:05:21 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA25053 for ; Tue, 2 Jan 2001 06:00:49 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id HAA04912; Tue, 2 Jan 2001 07:41:32 +0530 Message-Id: <200101020211.HAA04912@venus.roc.com> X-Sender: vamsi@206.40.37.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 02 Jan 2001 16:57:19 +0530 To: Ari Huttunen From: Vamsi Krishna Subject: Re: X-auth attribute formats? Cc: ietf-xauth@vpnc.org In-Reply-To: <3A4E0E26.CE6CCC5E@F-Secure.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA25142 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 22:02 30.12.00 , Ari Huttunen wrote: >Is it the understanding that XAUTH-USER-NAME, XAUTH-USER-PASSWORD, etc. >attributes MUST be null-terminated? XAUTH-CHALLENGE would *NOT* be >NULL terminated? > >Similarly, MUST User-Name and User-Password be NULL terminated when >sent to/from a RADIUS server? A summary of the Attribute format in RADIUS is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- For User name Attribute Type .................... User Name Attrib Type (as per defined in Radius Rfc) Length................... 1(Type)+1(Length)+variable string(value) value....................... User name So UserName and User-Password lengths can be determined from the field ' Length 'so there is no need of null termination while sending to /receiving from the Radius server. > >Ari > >-- >Ari Huttunen                   phone: +358 9 2520 0700 >Senior Software Engineer       fax  : +358 9 2520 5001 > >F-Secure Corporation       http://www.F-Secure.com > >F-Secure products: Integrated Solutions for Enterprise Security > From owner-ietf-xauth Tue Jan 2 07:46:04 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA04007 for ietf-xauth-bks; Tue, 2 Jan 2001 07:46:04 -0800 (PST) Received: from dfmail.f-secure.com (dfmail.f-secure.com [194.252.6.39]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA04003 for ; Tue, 2 Jan 2001 07:46:02 -0800 (PST) Received: (qmail 5520 invoked by uid 0); 2 Jan 2001 15:50:24 -0000 Received: from fsav4im2.f-secure.com (HELO fsav4im2) (194.197.29.47) by dfmail.f-secure.com with SMTP; 2 Jan 2001 15:50:24 -0000 Received: from dfintra.f-secure.com ([194.197.29.8]:1048) (HELO dfintra.f-secure.com) by fsav4im2 ([194.197.29.47]:25) (F-Secure Anti-Virus for Internet Mail 5.0.53 Release) with SMTP; Tue, 2 Jan 2001 15:50:11 -0000 Received: (qmail 23205 invoked from network); 2 Jan 2001 15:50:23 -0000 Received: from fs129-152.f-secure.com (HELO F-Secure.com) (10.128.129.152) by dfintra.f-secure.com with SMTP; 2 Jan 2001 15:50:23 -0000 Message-ID: <3A51F92A.53B7AC33@F-Secure.com> Date: Tue, 02 Jan 2001 17:52:10 +0200 From: Ari Huttunen Organization: F-Secure Corporation X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Vamsi Krishna CC: ietf-xauth@vpnc.org Subject: Re: X-auth attribute formats? References: <200101020211.HAA04912@venus.roc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Vamsi Krishna wrote: > > At 22:02 30.12.00 , Ari Huttunen wrote: > >Is it the understanding that XAUTH-USER-NAME, XAUTH-USER-PASSWORD, etc. > >attributes MUST be null-terminated? XAUTH-CHALLENGE would *NOT* be > >NULL terminated? > > > >Similarly, MUST User-Name and User-Password be NULL terminated when > >sent to/from a RADIUS server? > A summary of the Attribute format in RADIUS is shown below. The fields are > transmitted from left to right. > > 0 1 2 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > | Type | Length | Value ... > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > > For User name Attribute > Type .................... User Name Attrib Type (as per > defined in > Radius Rfc) > Length................... 1(Type)+1(Length)+variable string(value) > value....................... User name > So UserName and User-Password lengths can be determined from the field ' > Length 'so there is no > need of null termination while sending to /receiving from the Radius > server. It's trivially clear that both xauth and radius attribute definitions can handle not having a NULL. It also seems to work with a NULL, at least with the radius server I tried. I also thought that we'd been sending NULLs in xauth attributes, but actually we don't so I'm not sure if xauth too can handle having NULLs; I mean actual implementations. In any case the draft could clarify what is meant by "Variable ASCII string" in each case. Ari -- Ari Huttunen phone: +358 9 2520 0700 Senior Software Engineer fax : +358 9 2520 5001 F-Secure Corporation http://www.F-Secure.com F-Secure products: Integrated Solutions for Enterprise Security From owner-ietf-xauth Wed Jan 3 07:02:07 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA07703 for ietf-xauth-bks; Wed, 3 Jan 2001 07:02:07 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA07697 for ; Wed, 3 Jan 2001 07:02:06 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id HAA21049; Wed, 3 Jan 2001 07:05:43 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-149.cisco.com [161.44.214.149]) by toque.cisco.com (Mirapoint) with SMTP id AAR08303; Wed, 3 Jan 2001 10:05:30 -0500 (EST) Message-ID: <007c01c07596$dd211190$95d62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" Cc: , References: <200012281733.XAA01807@venus.roc.com> Subject: Re: intialisation vector Date: Wed, 3 Jan 2001 10:07:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: You should follow the rules outlined in RFC 2409 which detail how to generate an IV for a post phase 1 exchange. ----- Original Message ----- From: "vamsi" To: Cc: ; Sent: Friday, December 29, 2000 12:21 AM Subject: intialisation vector > Hi, > Should we use the Intialisation vector of phase1 exchange or else should > we produce fresh intialisation vector for the Xauth protected Transaction > exchanges? > > bye > > > > ************************************************************** > Wealth is lost Nothing is lost > Health is lost Something is lost > Character is lost Everything is lost > > **************************************************************** From owner-ietf-xauth Mon Jan 8 15:39:11 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id PAA11321 for ietf-xauth-bks; Mon, 8 Jan 2001 15:39:11 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA11315 for ; Mon, 8 Jan 2001 15:39:09 -0800 (PST) Received: from cyphers.net (prime.cyphers.net [64.220.173.156]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G6VE1I00.T1M for ; Mon, 8 Jan 2001 16:44:06 -0800 Message-ID: <3A5A50C1.4ABA40F0@cyphers.net> Date: Mon, 08 Jan 2001 15:44:01 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: XAuth Vendor Interop Draft Content-Type: multipart/mixed; boundary="------------475CC505CEFB60B6EC07C6F8" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. --------------475CC505CEFB60B6EC07C6F8 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit This is a draft based on what people have sent in the last few weeks. I plan on updating this again based on any feedback I receive. Please send feedback to me titled "XAUTH DATA". Thanks. -- Will Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. --------------475CC505CEFB60B6EC07C6F8 Content-Type: text/html; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D534945"; name="XauthInterop.htm" Content-Transfer-Encoding: 7bit Content-Description: Unknown Document Content-Disposition: inline; filename="XauthInterop.htm" XAuth Vendor Interop List
Company Product Name Version Xauth Version Sends VendorID Understands VendorID Minimum Xauth Version Maximum Xauth Version Type Supports Hybrid Ship Date
Alcatel Secure VPN Gateway Current 5 No No 5 5 GW/Client No Now
Cisco VPN Client 3.0 6 Yes Yes 6 6 Win32 Client No Q1 2001
Cisco VPN Concentrator 3000 3.0 6 Yes Yes 2 6 Gateway No Q1 2001
Cisco VPN Concentrator 5000 ? 6 ? ? ? ? Gateway Yes Q1 2001
Cisco IOS Router Software 12.2.3.T 6 Yes Yes 3 6 Gateway No Soon
Cisco PIX 5.4 6 No No 3 6 Gateway No Soon
F-Secure F-Secure VPN+ 5.30 6 Yes Yes 2 6 GW/Client No Q2 2001
PGP Security PGP Desktop Security 7.0.3 6 Yes Yes 6 6 Win32 + Mac Client Yes Now
RapidStream RapidStream Security Appliance Release 3.0 6 Yes Yes 6 6 Gateway No Q1 2001
SafeNet SafeNet/Soft-PK 5.1.0 6 Yes Yes 4 6 Win32 Client No Now
Secure Computing Sidewinder 5.1 + Patch 6 Yes Yes 5 6 Gateway No Q1 2001
--------------475CC505CEFB60B6EC07C6F8-- From owner-ietf-xauth Mon Jan 15 11:48:31 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id LAA20874 for ietf-xauth-bks; Mon, 15 Jan 2001 11:48:31 -0800 (PST) Received: from enigma.cyphers.net (enigma.cyphers.net [64.220.173.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA20868 for ; Mon, 15 Jan 2001 11:48:29 -0800 (PST) Received: from cyphers.net (prime.cyphers.net [64.220.173.156]) by enigma.cyphers.net (Netscape Messaging Server 4.15) with ESMTP id G7823I00.Q04 for ; Mon, 15 Jan 2001 12:54:54 -0800 Message-ID: <3A635551.8AA4E009@cyphers.net> Date: Mon, 15 Jan 2001 11:53:52 -0800 From: Will Price Reply-To: wprice@cyphers.net X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: XAuth Vendor Interop Draft, V2 References: <3A5A50C1.4ABA40F0@cyphers.net> <048401c07f04$fe9ca790$abd62ca1@cisco.com> Content-Type: multipart/mixed; boundary="------------7F2A1B3852572E7305DB8069" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. --------------7F2A1B3852572E7305DB8069 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Here is an updated list which should be more readable to those folks who couldn't read the last version. This also has some changes based on feedback over the last week. I will continue to update this document for a while as I receive changes/additions. -- Will Will Price, Director of Engineering PGP Security, Inc. a division of Network Associates, Inc. --------------7F2A1B3852572E7305DB8069 Content-Type: application/zip; x-mac-type="5A495020"; x-mac-creator="53495478"; name="XauthInterop.xls.zip" Content-Transfer-Encoding: base64 Content-Description: Unknown Document Content-Disposition: inline; filename="XauthInterop.xls.zip" UEsDBBQAAAAIADdeLyp6DqkLtA4AAAA4AAAQABAAWGF1dGhJbnRlcm9wLnhscwUnDABaUElU WExTOFhDRUzsW31sFMcVn93b+9i9wxzGYAPGXsyXvzBnG4JDmmAC4UMN4GBCqEoEh72EK/ad fT7zITWJ2yYSrdrKUdKkalDDRxqlTZrQNmmDFJqDWCqJSANto9A2qkhRlbbKH6QhbSIRru/N zr69OdaRcR01bTKr2X3vzZuZ33szO/t25+70qxPOHfzJ1DdZQbqB+djlnM4CeTJFZJ6ijJUK /nIul3PEuc/S/1T6EPJUGDcfZA2yHzKOeRByCLIO2YAchhyBPA5yEeTx9hRgEyAXQ54IuQTy JMiTxZzAPCWP/ix98hJbX3jnX11SYcY4banAmyGVy7N28QpJ+d3P3fm3u7JKGRMTDtJtLMXS bCfbBtcUXK82FTNVwXlL9owIM8z1Gpv2s3bWz7rhiAOOvWw1S7LtHBNKMiwBdPIj2qqG/hVh zkj7x6QpTv/LoYcOjsGCnjJXiacF+pfGcwQJ7/GI6F8PReGG97O1laeC0QEgQf4meOiIdpz7 6c+QN7MeXANuS3R1mW3pRIdlfvzpRo4hriCG65UAPGdU8PF+OBexKRxZMT9P5Oenud7ztjaU 4Eq0fA2raOE2KmyT2sr1vsXPVXBWoB08/4LX+QOXN0K9CyDL3f28PYkrNbbK6trVCCvaM5I8 wFZaSWtX3C5RoWRQ8SrxDVuHedYpYSelEqd/lHvhQrx+WJdRrlwhn1Ugr9DKQQpP7apZVTPr Z86Mbam5bnO1w2yuqdBmwNpfLpV/cb3VebusVAUPh+muUkNMbgd41JoLj4+qQq2C1oTqIlbL mhjbgvJa0+lZsJurRceOoGpeFS9t3QJVG1gNHFA1v55cqaDGElbPFsud2djk/ji0vC6XLHGb uIbVwVxxO3XqX1G5oOY5Pi8Zey9XnXc3Zk2UK1xuMnZxZHL1KuXsUyhX2JV+9sPYcf33C+U1 w8jrh5HXesoxXrqIq3ABntAwcj/U8Gon4OAPFcobbXlkGPklWR4cpp3gsO2wK9q5X9VYdMCX w+uEwQC/Fg9q/DpxMMivJYM6v04aDPErG2T8OnnAn9uq4Ep7L6y4f8HwEfpo32FZmUaU/H1O nqQJJf+amydp/iZEpQocT8FT3scUrRQMcd5Bytg0NgPghhm9l4y7Ds9ok8GOK6B6HMsS8Uss q3YDuYDx0HZZqrsnntwLem3pVGd/R8ZcG++2oGCjle5LpJIAc1O8P7PDFDxEvO1WsrMP+GRn Kr16OUywW5OdUJiJ54sh+l2TSCa6+7tNqT7K43uulIOfNuztsWDStO9I9JjL4xkLAuv2/p6e VDrTZ67auy2d6KxgbH28J9HZnklb8W6z3eroTycye82lPT1diXiywwL711tdVrzPMpsbYhCJ fMHqA1tWQmu743thRVibAvaWRrMpFmuMoinQgmWiE/ozieQdYakDeNK3Jzqt3Qm0D4oWNjSa dWZbPNOxA1pZ2tUBzXYVUysb29aaoid0bH86bSUzYNDK2+Yv60oA7cP+d0PMsSzR15GC1rGG XRTBoCLZ3CTYSaIsBTYlM+l4JpU2m2MxtAjs8ipdCKUw8kvg7WP1unZzfao/Y6XN9tT2zO54 2oIp39jU0NTQ3LABHN2eSiWhpbbVm3xo1AJA2x7fbq21MuOJmo9V57V93s/NbohBCyvm2YaO c0m0uU5DleYYOraJOxYn08o2Gp4Sm11u9e3MpHpIDC0vaog1NBc7pteZa+IdwgFw893c32E7 ZmlHh9XXZ7alEtyFYEWONWkh9m4A57dx/i7o+SGm975l3+FsI2BNwfUEXP8I18kwBvNVo3IP XO9T9aH9GdBrMioPP476+qkLN+pDLxfrZ5Kn74aw0ah85LRR+f279KGXHsE7SD+zqwvyPv3M bk1/o9Wug3z2tSO8/NgLZ43zdxwAUsvl3jpgnF/XqvfeUqr3tu2HtgaNyoMPwPUI5CfF3amA rMyoPHAz1jfOrzitHxsYBDIn2teEzh7UsdtW70e50GNG5YtDiFfo5qeMuJ70wPd2LvdPvoTp vTeljfOJVdVMq0aMTrtcf+hom1H5p0aP+nNyuYtZwLQPbPst2mdj4fY96dgHfBTtywfltK/3 bnxJ791wydY5lIFrPWZmf0EJwZg8Cu/TW+BlKcG6wBYLov3lPNqPw3tRnPWBhI/Jzqw3vne2 4rKo9976DPZj4zuUcVZF6Ot94DfxK/odxhHrCnwuBn5FvcOPi7Z5P3l+Il3wQ9TpB9p9FP0h /JC1+zv80zxXBBzcoL/KbuPg2VzuzXPYFuQfOfPNHouTz3BbYe6JOjBehx/Th17HOXBC770j bPd16CRkLP+y/uPrn2P2ah/CvkDWgnNe3/HtHm5v5aHnnPahrSed8QG62pmPgCdrnF+9FeX6 mWfFOB+uxvaFP6VxJf7MrhbUy2vP9hHHa8vl6eq8/Np4ue4bczL6ma+X6UMPn+K2Ay/a3id8 1IUV9Fe6LyI253UP/HEUchbKWrA/KH8D2wf9J2xf4scb+yUvKr3khVV3suJD8wfwjLt9KmOv TsePPPjAjsC5EyYm0hN4YBmFWXbph+/8Zs22tiVbuLyWy+v4+atcMuBGGmw2BgKsTPkKlBzX nM9DX+Pa9/DzQXxHUJQyhT/kNXZMP/uCXffcEufaq98Kuga704lVihAT05DHWgcmIa/xchWO gVAZlfvgGAi45Roc2aBb3w/HAd0tD8AxYLjlQThaw255CI78+joc5/LqG3Dk1w/jPVhklw/y D2e4XIvwQ2dqEfnf/sQWUqOC7oImTj/bqgwOoEzhsgtwPsIGlNIsylQuOwdFf70BZFzPR3p+ 1GtFmebW/Q7IeB9+kp1+1qkb8OgjSDK3jxDJ2INOHzph4TLeh0F6UdILk14y5ehFSC/2oNPH OJL1fNfRKyLZVmpvPMlU1akb5Z8KUGZS3Qkki5GsmGRZkk0kmUL+KyEZY47eJA/ZZJLd854j KyVZ21EHXxnJzr7g9DGFZAfiTt2pJNM1RzaNZGWa0145yd7e5YzbdJK541ZBsscedvqtJNnW h7CPD/moMTaVn21OAU4hTuUYHM4HZT7iNOA04vzA+YkLABcgLghckLgQcCHidOAM4gzgdMEh ilK+hticAtxk4lTwLD6g7lKR83G6pNUu04AbT5p+wR2DOaAAKlvTPgeFTgikZVRDl+obwE0R nMoxTSUOMU0jDjFVCEyqwFTWapchpnGk6RfcMT4vA0LTPgeFDmIqpxr5mFSOKSo4n4TJxzFN Jy4fk0/C5JMw+SRMPoGJSZh8HFMR1cjH5JMwaRImjWOqJE4Ff5oCkyZh0jgmkzT9EheQuKDE 5SPTOLJxxOUj80vI/BzZDOIQWZVA5peQ+SVv+SVv+YW3QpK3/BImv+QtP8c0U3ABCVOAY5pF HGKaLTAFJEwBaaYHpJke8MQUkDAFJEwBCVOQY6ohDjHVEoeY6gSmoIQpKPkpKPkp6DmrgtLd F5QwBTmmesHhqlGOH+MEpwDXRBxiahaYQoCpnDCFAFM5tRkCTOWEKWR/BAU/ledhwid/OfkJ om2pvgGcsyLoHNM84hBTA3GIab7ApEuYdI5pHGnmY9IFpjIJk84xxaiGLtXPx2TwsSsmDscu TByuCBGByZDGzpDGzpDGzvBcpQxpPhnS2BnSfRfmmOYQh5jmEod+qhaYwhKmsIQpLGEKC0xR CVNYWjnDEqawtJpHOKYJxCGmicShn0oEpoiEKSJhikiYItITxsEUkfwUkTBFyE+KGuDReBmn iogaT1SUqAlEFRM1kagSoiYRNZmoUqLKiJpC1FSiphFVTtR0oiqIquTU6/Aa+2uYel3q99gD /HCu7mGM4MBIxaRIxY1YZ5DMjVirPCKfmSRzo+JZbl2Kimd79DHHo4+5Hn1UuxEhRac1soz3 UUsyNyquI5kbFde7EStFxfNI5kbFDW4ER+3NJ5kbFcc8ouJGj6i4ySMqbvaIihd4RMALPWTX eETFizyi4haPqPhaj6h4cUFUjLPNpHk3g6gqomYSNYuo2UTNIWouUdVE1RBVS1QdUfVEzSOq gaj5RMWIaiSqiahmohYQtZCoa4haRFQLUdcStVjccYtZrQ/fI0dyXxUeN6jF7Of8Fz+tzE3T YbVxPlgI0fFQLWQU4iKHi2iE6G+gAkaZKgRWNyf6Mo0nQs+zE6RtJ5cyeWDhvBPz1RWG196x HP3HtZNCT+ykstzdbNjkfEwJSPtFkB4sZVlTAezHCb8ifOBSpv1ZIn8jQTZi9PjH1gh3EFSm CiMcSgyC2JYQ+Cts/P+hEWOG/wTh94n56FKmPaGkzRUmjcLo8Y+tFS+SFZr4jO1SJo8HCraa ZDNGb8XYmvESmeHnL1D5lGnvv3ptkMnGjN6MsTXmZTImIH7w6FIm/97gva0nWzN6Yz4ua4L2 XZ1HOdZ4bUZ+Mq05StaExJdllzLt+wa3UGXwo7dmbMEPEXidvxbmUyYP9ws3e2XYowc/tnb8 kuywXyXzKdO2hzawvSwYjR1jacHwmyBRSf3Q3P/m5oeb3M2PdiZtfijO5oezdeAmHrxxqjVP 6hG8jdQZT1d/0pzB2j8WZ3yaE/oB3e/8/vsyv4vk33+jLCyun6X/r3Q5h7vFiue8OHfvI//4 YN2O6BP3hVjd3J/9Pgay34l5geWrxNxpE3MHd6wxAtwndPAXAfjJEX/dgTdsltn/Ezgl6kVh tcWNCPzMvWmpHYlgmGiuTmasdKrHxLdH1pFGHZx/7g+QGZdx1CAbrjzKMG7rSKf6Utsz5k17 OqwuezmITLnwq71ZxTcG989H+U997ZXX9jdMi97/EPiv/oOn0H+4O6+LcvQbxgCbmP3Lih3C jh6BfY/w1wCz/1OBfsXXnEHhz6MFfkTfr71pw1J8GKNtr+o6b4+Jdr2uFVH73sf73f5Vnks2 uWQzi0TtzsjZqfTOPizq4/VH60sFPIgPC5yLhf8dwHlRMH4mdctXo5YVq2/EpZ+XNXCkDS2j RPLpTApbxlKsG+bcOraNfemq6+On5vz1ZCR18Jm76ap7Gj5dbf9jnf6X+//3AFBLAQIUBxQA AAAIADdeLyp6DqkLtA4AAAA4AAAQABAAAAAAAAAAAAAAAAAAAABYYXV0aEludGVyb3AueGxz BScMAFpQSVRYTFM4WENFTFBLBQYAAAAAAQABAE4AAADyDgAAAAA= --------------7F2A1B3852572E7305DB8069-- From owner-ietf-xauth Fri Jan 19 03:08:39 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id DAA00568 for ietf-xauth-bks; Fri, 19 Jan 2001 03:08:39 -0800 (PST) Received: from venus.roc.com ([202.54.67.218]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA00552 for ; Fri, 19 Jan 2001 03:08:12 -0800 (PST) Received: from vamsi.roc.com (vamsi.roc.com [172.16.5.76]) by venus.roc.com (8.9.3/8.9.3) with SMTP id EAA02371; Fri, 19 Jan 2001 04:51:57 +0530 Message-Id: <200101182321.EAA02371@venus.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Fri, 19 Jan 2001 16:36:54 +0530 To: ietf-xauth@vpnc.org From: vamsi Subject: Basic,Variable Ascii string,Variable Cc: raghava@brahma.roc.com, srao@brahma.roc.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id DAA00565 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, The attributes in Xauth draft are as follows Attribute Value Type --------------------- ------ --------------------- XAUTH-TYPE 16520 Basic XAUTH-USER-NAME 16521 Variable ASCII string XAUTH-USER-PASSWORD 16522 Variable ASCII string XAUTH-PASSCODE 16523 Variable ASCII string XAUTH-MESSAGE 16524 Variable ASCII string XAUTH-CHALLENGE 16525 Variable ASCII string XAUTH-DOMAIN 16526 Variable ASCII string XAUTH-STATUS 16527 Basic XAUTH-NEXT-PIN 16528 Variable XAUTH-ANSWER 16529 Variable ASCII string My questions are 1)What is meant by basic? 2)In what way the 'variable ASCII string' and 'variable' differs? 3)I am assuming the following attributes comes under TV format a)XAUTH_TYPE b)XAUTH_STATUS simillarly I am assuming the remaining XAuth attributes comes under TLV format. Please let me know whether my assumptions regarding this attribute Type (TV/TLV) are correct or not. bye vamsi ************************************************************** Wealth is lost            Nothing is lost Health is lost            Something is lost Character is lost      Everything is lost **************************************************************** From owner-ietf-xauth Fri Jan 19 06:26:21 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA17592 for ietf-xauth-bks; Fri, 19 Jan 2001 06:26:21 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA17587 for ; Fri, 19 Jan 2001 06:26:20 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA21417; Fri, 19 Jan 2001 06:31:20 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-171.cisco.com [161.44.214.171]) by toque.cisco.com (Mirapoint) with SMTP id AAU55400; Fri, 19 Jan 2001 09:31:03 -0500 (EST) Message-ID: <001b01c08224$b23a69a0$abd62ca1@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" Cc: , References: <200101182321.EAA02371@venus.roc.com> Subject: Re: Basic,Variable Ascii string,Variable Date: Fri, 19 Jan 2001 09:32:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > Hi, > > The attributes in Xauth draft are as follows > > > > Attribute Value Type > --------------------- ------ > --------------------- > XAUTH-TYPE 16520 Basic > XAUTH-USER-NAME 16521 Variable ASCII string > XAUTH-USER-PASSWORD 16522 Variable ASCII string > XAUTH-PASSCODE 16523 Variable ASCII string > XAUTH-MESSAGE 16524 Variable ASCII string > XAUTH-CHALLENGE 16525 Variable ASCII string > XAUTH-DOMAIN 16526 Variable ASCII string > XAUTH-STATUS 16527 Basic > XAUTH-NEXT-PIN 16528 Variable > XAUTH-ANSWER 16529 Variable ASCII string > > My questions are > 1)What is meant by basic? This is specified in RFC 2408. It's in the attribute encoding text. > 2)In what way the 'variable ASCII string' and 'variable' differs? Encoding is the same. It's just a hint to the implementors to say what type of data is in the attribute (i.e. binary vs. ascii text) > 3)I am assuming the following attributes comes under TV format > a)XAUTH_TYPE > b)XAUTH_STATUS > simillarly I am assuming the remaining XAuth attributes comes under TLV > format. yes > Please let me know whether my assumptions regarding this attribute Type > (TV/TLV) are correct or not. > > bye > vamsi > > > > ************************************************************** > Wealth is lost Nothing is lost > Health is lost Something is lost > Character is lost Everything is lost > > **************************************************************** From owner-ietf-xauth Mon Jan 22 15:52:21 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id PAA19581 for ietf-xauth-bks; Mon, 22 Jan 2001 15:52:21 -0800 (PST) Received: from cins.hanyang.ac.kr ([166.104.204.187]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA19575 for ; Mon, 22 Jan 2001 15:52:18 -0800 (PST) From: emed22@libero.it Received: by cins.hanyang.ac.kr id IAA283898; Tue, 23 Jan 2001 08:32:40 +0900 (KST) To: ietf-xauth@vpnc.org Subject: Obtain Biotech IPOs! 120 Date: Mon, 22 Jan 2001 18:56:04 Message-Id: <213.419456.809914@libero.it> Reply-To: emed22@libero.it Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by cins.hanyang.ac.kr id IAA283898 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID:

Help Beta Test Our Site and Be Eligible to Purchase Shares= of=20 Future IPOs In Which We Participate**

eMedsecurities has selected you as a possible participant = to help=20 test our online stock-trading engine for knowledge-based investing = in the=20 life sciences.  For your cooperation, you will be eligible = to purchase=20 shares of future IPOs in which we participate, for as long as y= ou=20 maintain your account with us.  This is limited to only 50 = qualified=20 testers!  Request M= ore Information.**

eMedsecurities=85 The Cure for the Common Portfolio!

eMedsecurities provides you with a wealth of information, = all=20 compiled in a single, easy-to-use resource.  Learn about new r= esearch=20 and upcoming treatments for diabetes, glaucoma, cataract, obesity a= nd much more.  Obtain critical investment information about the=20 companies that are developing these treatments.  eMedsecuritie= s empowers=20 you to make more informed investment decisions.  Request More Information.**

Participation i= n eMedsecurities's Beta Test allows you:

  • Eligibility to purchase s= hares of IPOs in which=20 eMedsecurities participates for as long as you maintain your=20 account**

  • Valuable research of the = entire product=20 pipeline of companies, including stages of clinical development, = by=20 industry or specific disease

  • Useful information about = industry trends, recent=20 developments and upcoming IPOs

  • Commitment to customer se= rvice featuring=20 our Live Customer Service Online

  • Dedication to fast trade = executions at the best=20 possible price.

The following guideline= s will=20 explain what we expect from an eMedsecurities Beta Tester:

  • Open a funded eMedsecurities=20 account

  • Visit our online trading site onc= e=20 a week

  • Execute trades through our Web=20 site in accordance with your normal practice

  • Submit feedback to eMedsecurities= 's development team through a questionnaire sent via=20 email

  • Provide us with additional=20 feedback regarding the site as needed.

The test is limited to = only 50 Beta=20 Testers so sign up now to be considered!  Request More Information.**=20

Please note:<= /B> All applications for the Beta Test must be s= ubmitted by January 25, 2001 to be considered.=20

Please=20 be advised that your information will stay in our proprietary datab= ase and=20 will not be sold, traded, given or otherwise provided to outside ve= ndors.  We respect your privacy.=20

=20

By=20 submitting your information, you implicitly state that this is some= thing=20 that interests you and that you
agree to receive periodic emails from=20 eMedsecurities.=20

Research indicated= that you=20 might benefit from our offer.  To be removed instantly and per= manently from=20 our database, simply click here= .  We respect=20 all removal requests.

** R= estrictions=20 Apply:  Beta test not open t= o residents of HI, IL, MI, MN, NE, NH, TN, TX.  Initial Public=20 Offerings are considered speculative investments and as such may no= t be=20 appropriate for every investor. If an investor chooses to participa= te in=20 IPOs, there are certain restrictions that apply.   Flipping - The first time an invest= or sells their shares within the first 30 days the issue is trading in the=20 secondary market, that investor will not be allocated shares for th= e next=20 90 days following the sale.  The second time that investor =93= flips,"=20 they will not be allocated IPO shares for 180 days.  The third= time=20 that investor =93flips," they lose their IPO allocations perma= nently.  Transferring shares - If the=20 investor transfers IPO shares out of their account within the first= 30=20 days the issue is trading in the secondary market, they will perman= ently=20 lose their IPO allocations.  Beta investors will be chosen = from=20 all the applicants based on their income, net worth and investing=20 experience.  Beta Test open only to those 21 years of age= or older. IPO shares will only be allocated from transactions in=20 which eMedsecurities participates in the underwriting.  A0009-= 1-A2

eMedsecurities, Inc.   Member NASD  SIPC. 

From owner-ietf-xauth Tue Jan 30 16:39:25 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id QAA28479 for ietf-xauth-bks; Tue, 30 Jan 2001 16:39:25 -0800 (PST) Received: from ns01.newbridge.com (ns01.newbridge.com [192.75.23.67]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA28469 for ; Tue, 30 Jan 2001 16:39:22 -0800 (PST) Received: (from smtpd@localhost) by ns01.newbridge.com (8.9.2/8.9.2) id TAA09488 for ; Tue, 30 Jan 2001 19:37:09 -0500 (EST) Received: from portal1.newbridge.com(192.75.23.76), claiming to be "kanata-mh1.ca.newbridge.com" via SMTP by ns01.newbridge.com, id smtpdAAAwVT2i_; Tue Jan 30 19:37:09 2001 Received: from kanmail02.ca.newbridge.com by kanata-mh1.ca.newbridge.com with ESMTP for ietf-xauth@vpnc.org; Tue, 30 Jan 2001 19:45:00 -0500 Received: from andrewk3 ([138.120.114.30]) by kanmail02.ca.newbridge.com (Netscape Messaging Server 3.6) with ESMTP id AAA3FEE for ; Tue, 30 Jan 2001 19:45:00 -0500 Reply-To: From: "Andrew Krywaniuk" To: Subject: XAuth vendor id Date: Tue, 30 Jan 2001 19:43:14 -0500 Message-Id: <003b01c08b1e$cc1bfd40$1e72788a@andrewk3.ca.alcatel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-Reply-To: <001b01c08224$b23a69a0$abd62ca1@cisco.com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, The latest XAuth draft (00) specifies a vendor id of 0x09002689dfd6b712. However, I have a locally stored copy of a previous version (06) which says that the vendor id is 0x228726e54acd6765. Has anyone out there deployed products with this vendor id? And are there any known compatibility issues which precipitated the change? Andrew ------------------------------------------- Upon closer inspection, I saw that the line dividing black from white was in fact a shade of grey. As I drew nearer still, the grey area grew larger. And then I was enlightened. From owner-ietf-xauth Tue Jan 30 17:06:55 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id RAA29343 for ietf-xauth-bks; Tue, 30 Jan 2001 17:06:55 -0800 (PST) Received: from corvus.netcenter ([205.178.117.162]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA29337 for ; Tue, 30 Jan 2001 17:06:54 -0800 (PST) Received: by email.rapidstream.com with Internet Mail Service (5.5.2650.21) id ; Tue, 30 Jan 2001 17:13:09 -0800 Message-ID: <5F235E8F67EAD311993200D0B708A6D85ABA7E@email.rapidstream.com> From: Leemay Yen To: "'andrew.krywaniuk@alcatel.com'" , ietf-xauth@vpnc.org Subject: RE: XAuth vendor id Date: Tue, 30 Jan 2001 17:13:08 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I checked both xauth06 and the latest new xauth00 in my local store, they have the same Vendor ID, 0x09002689dfd6b712 So far, I have no problem with this xauth VID. Leemay -----Original Message----- From: Andrew Krywaniuk [mailto:andrew.krywaniuk@alcatel.com] Sent: Tuesday, January 30, 2001 4:43 PM To: ietf-xauth@vpnc.org Subject: XAuth vendor id Hi, The latest XAuth draft (00) specifies a vendor id of 0x09002689dfd6b712. However, I have a locally stored copy of a previous version (06) which says that the vendor id is 0x228726e54acd6765. Has anyone out there deployed products with this vendor id? And are there any known compatibility issues which precipitated the change? Andrew ------------------------------------------- Upon closer inspection, I saw that the line dividing black from white was in fact a shade of grey. As I drew nearer still, the grey area grew larger. And then I was enlightened. From owner-ietf-xauth Wed Jan 31 06:08:29 2001 Received: by ns.secondary.com (8.9.3/8.9.3) id GAA27475 for ietf-xauth-bks; Wed, 31 Jan 2001 06:08:29 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA27470 for ; Wed, 31 Jan 2001 06:08:28 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA15264; Wed, 31 Jan 2001 06:15:01 -0800 (PST) Received: from stephanent3 (kan2-dhcp-161-44-214-171.cisco.com [161.44.214.171]) by toque.cisco.com (Mirapoint) with SMTP id ABC14688; Wed, 31 Jan 2001 09:14:45 -0500 (EST) Message-ID: <06a701c08b90$68979550$abd62ca1@cisco.com> From: "Stephane Beaulieu" To: , References: <003b01c08b1e$cc1bfd40$1e72788a@andrewk3.ca.alcatel.com> Subject: Re: XAuth vendor id Date: Wed, 31 Jan 2001 09:16:31 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hey Andrew, In Xauth (v5, I think). I wrote that the VID is a MD5 of "draft-ietf-ipsec-xauth-05.txt" or something like that. And then I also included the actual truncated hex output of the hash. --> 0x09002689dfd6b712 Turns out the code I wrote to generate the hash had a bug in it. I think it was that I only hashed the first 4 bytes of the string instead of the entire string. Anyways, I then removed the part that says: Hash this string, and now the draft just says use 0x09002689dfd6b712, since most people were just using that anyways. So, the moral of the story is, never add 2 definitions for one item, especially, when they are different. :) Sorry for the inconveniance... Stephane. ----- Original Message ----- From: "Andrew Krywaniuk" To: Sent: Tuesday, January 30, 2001 7:43 PM Subject: XAuth vendor id > Hi, > > The latest XAuth draft (00) specifies a vendor id of 0x09002689dfd6b712. > However, I have a locally stored copy of a previous version (06) which says > that the vendor id is 0x228726e54acd6765. > > Has anyone out there deployed products with this vendor id? And are there > any known compatibility issues which precipitated the change? > > Andrew > ------------------------------------------- > Upon closer inspection, I saw that the line > dividing black from white was in fact a shade > of grey. As I drew nearer still, the grey area > grew larger. And then I was enlightened. > > From owner-ietf-xauth Thu Feb 1 11:37:29 2001 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id LAA26982 for ietf-xauth-bks; Thu, 1 Feb 2001 11:37:29 -0800 (PST) Received: from ns01.newbridge.com (ns01.newbridge.com [192.75.23.67]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA26978 for ; Thu, 1 Feb 2001 11:37:27 -0800 (PST) Received: (from smtpd@localhost) by ns01.newbridge.com (8.9.2/8.9.2) id OAA12914 for ; Thu, 1 Feb 2001 14:35:19 -0500 (EST) Received: from portal1.newbridge.com(192.75.23.76), claiming to be "kanata-mh1.ca.newbridge.com" via SMTP by ns01.newbridge.com, id smtpdXAAhmrBu_; Thu Feb 1 14:35:09 2001 Received: from kanmail02.ca.newbridge.com by kanata-mh1.ca.newbridge.com with ESMTP for ietf-xauth@vpnc.org; Thu, 1 Feb 2001 14:36:07 -0500 Received: from andrewk3 ([138.120.114.30]) by kanmail02.ca.newbridge.com (Netscape Messaging Server 3.6) with ESMTP id AAA6E28 for ; Thu, 1 Feb 2001 14:36:06 -0500 Reply-To: From: "Andrew Krywaniuk" To: Subject: RE: XAuth vendor id Date: Thu, 1 Feb 2001 14:34:19 -0500 Message-Id: <008301c08c85$fa3043e0$1e72788a@andrewk3.ca.alcatel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-Reply-To: <06a701c08b90$68979550$abd62ca1@cisco.com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Stephane, In hindsight, I think I took the vendor id out of a preliminary version of the v6 draft that you sent me before it was published. You must have changed the value of the vendor id during the final editing stages. (No worries, since we haven't released this code yet.) Andrew ------------------------------------------- Upon closer inspection, I saw that the line dividing black from white was in fact a shade of grey. As I drew nearer still, the grey area grew larger. And then I was enlightened. From owner-ietf-xauth Thu Feb 22 10:17:39 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id KAA25633 for ietf-xauth-bks; Thu, 22 Feb 2001 10:17:39 -0800 (PST) Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.43.88]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA25628 for ; Thu, 22 Feb 2001 10:17:38 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-2.cisco.com (8.9.3/8.9.1) with ESMTP id KAA19407; Thu, 22 Feb 2001 10:17:25 -0800 (PST) Received: from stephanent3 (ott-b1-dhcp-10-85-28-184.cisco.com [10.85.28.184]) by toque.cisco.com (Mirapoint) with SMTP id ABO52523; Thu, 22 Feb 2001 13:17:08 -0500 (EST) Message-ID: <05c101c09cfb$e4e12aa0$b81c550a@cisco.com> From: "Stephane Beaulieu" To: "Derrell Piper" , , Cc: References: <330673.3191813919@el-air-2.electric-loft.org> Subject: Re: exchange type 6? Date: Thu, 22 Feb 2001 13:18:45 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Derrell, The reserved number in question is in the scope of Mode-Cfg (which is quite independant of Xauth, and serves a completely different function). The Xauth protocol uses the Mode-Cfg protocol as a transport mechanism, and only uses magic numbers from the "mutually consenting parties" range. I know that most people who have implemented mode-cfg, have also implemented Xauth, but some haven't, and some might not use Xauth in the future but keep mode-cfg. If you have security concerns about the Xauth protocol, I'll attempt to address them. I've heard of some concerns with the Xauth along the lines of. 1 - It complicates IKE, which is complicated enough by itself, so there's a good chance implementors will make mistakes, and render IKE less secure. - OK, noted. 2 - It promotes the use of pre-shared keys, which is obviously less secure than using a PKI. - TRUE, but some customers want this, and are willing to manage the risks involved 3 - It SHOULD NOT be used with pre-shared keys + Main Mode, as one would not have a choice but to use group shared keys which are susceptible to social engineer attacks. - I could change this to MUST NOT if there was concensus among the Xauth vendors, as I don't believe anyone actually uses this (other than for testing purposes). These concerns are already documented in the Security Considerations section of the draft. I truly hope that Xauth gets replaced in the future by something more appropriate (i.e. GetCert, PIC, Hybrid, CRACK, etc...).... mostly because I'm tired of having this very political discussion. However, customers *want* to have legacy authentication w/ pre-shared keys, until PKIs are a more viable solution, and it was the best protocol we had at the time, so we implemented it. Now we've got it, our business partners have it, and it works exactly as it was intended to work. So, if you know of any *serious* security problems (other than the heebee geebees) with the Xauth protocol (assuming it is properly implemented), then please post it to mailto:ietf-xauth@vpnc.org , as most of the people on that list have a vested interest in any such problems. Note: If anyone wishes to reply based on the "Security Considerations" of Xauth, please do so on the xauth mailing list noted above (which is also cc'd), as the IPsec mailing list is not really the forum. Thanks, Stephane. ----- Original Message ----- From: "Derrell Piper" To: ; Sent: Thursday, February 22, 2001 9:58 AM Subject: Re: exchange type 6? > Will, > > I just don't agree with allocating a reserved number to Config/XAUTH. > XAUTH was not adopted because it has serious security problems. We did > think about this. The problem is that there's been essentially no progress > on adopting a viable alternative (e.g. CRACK or Hybrid) so people continue > to use what they've got. However, it's our charter to provide secure > protocols and standardizing anything less is unacceptable to some of us. > > Derrell > > From owner-ietf-xauth Fri Mar 23 06:46:49 2001 Received: by above.proper.com (8.9.3/8.9.3) id GAA14824 for ietf-xauth-bks; Fri, 23 Mar 2001 06:46:49 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA14818 for ; Fri, 23 Mar 2001 06:46:48 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA21038; Fri, 23 Mar 2001 06:46:16 -0800 (PST) Received: from stephanent3 (ott-b1-dhcp-10-85-28-184.cisco.com [10.85.28.184]) by toque.cisco.com (Mirapoint) with SMTP id AAN13923; Fri, 23 Mar 2001 09:46:10 -0500 (EST) Message-ID: <010201c0b3a8$3e5e9f00$b81c550a@cisco.com> From: "Stephane Beaulieu" To: , "vamsi" References: <200103231414.TAA08649@brahma.roc.com> Subject: Re: Xauth-OTP Date: Fri, 23 Mar 2001 09:47:54 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Vamsi, NOTE: moving this to the XAUTH mailing list. I must admit, I've never worked with OTP and wrote this up just by reading the RFC, so any input you have would certainly help. If the server needs to know the user name before generating the challenge, then all it has to do is ask for it. IPSec Host Edge Device -------------- ----------------- <--REQUEST(TYPE=OTP NAME='') REPLY(TYPE=OTP NAME='joe') --> <-- REQUEST(TYPE=OTP CHALLENGE="otp-md5 499 ke1234" NAME="" PASSWORD="") REPLY(TYPE=OTP NAME="joe" PASSWORD="5bf0 75d9 959d 036f") --> <-- SET(STATUS=OK) ACK(STATUS) --> Should I modify the example draft to make this clearer? Stephane. ----- Original Message ----- From: "Vamsi" To: Sent: Friday, March 23, 2001 9:07 AM Subject: Xauth-OTP > Hi, > 1)Can any one help me how to proceed the Xauth with OTP? > > 2) > From Xauth Draft ,the exchange of messages in case of OTP is as follows > IPSec Host Edge Device > -------------- ----------------- > <-- REQUEST(TYPE=OTP CHALLENGE="otp-md5 499 ke1234" > NAME="" PASSWORD="") > REPLY(TYPE=OTP NAME="joe" PASSWORD="5bf0 75d9 959d 036f") --> > <-- SET(STATUS=OK) > ACK(STATUS) --> > > As per my understanding OTP generates its challenge("otp-md5 499 ke1234") > from any one of the Key parameter like 'User Name'. > In Xauth at Edge Device,what parameter should I consider as key parameter > to generate a OTP challenge string? > > 3)My question is how an edge device can generate the OTP string ("otp-md5 > 499 ke1234") which will be encoded in a challenge attribute with out the > user name(i.e Key field to generate the OTP challenge string)? > > Please clarify me whether I am missing any thing in understanding the > Xauth transactions for OTP. > > bye > vamsi > > > > ************************************************************** > Wealth is lost Nothing is lost > Health is lost Something is lost > Character is lost Everything is lost > > **************************************************************** From owner-ietf-xauth Thu Mar 29 23:19:59 2001 Received: by above.proper.com (8.9.3/8.9.3) id XAA00601 for ietf-xauth-bks; Thu, 29 Mar 2001 23:19:59 -0800 (PST) Received: from stargate.halifax.rwth-aachen.de (IDENT:qmailr@stargate.halifax.RWTH-Aachen.DE [134.130.48.4]) by above.proper.com (8.9.3/8.9.3) with SMTP id XAA00590 for ; Thu, 29 Mar 2001 23:19:57 -0800 (PST) Received: (qmail 7011 invoked from network); 30 Mar 2001 00:13:02 -0000 Received: from smily.halifax.rwth-aachen.de (HELO smily) (134.130.48.200) by stargate.halifax.rwth-aachen.de with SMTP; 30 Mar 2001 00:13:02 -0000 From: "Christian Franzen" To: , , "Owner-Ipsec" Subject: confuzius Date: Fri, 30 Mar 2001 02:13:42 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, while I was checking todays market on CeBit this week, I got confused by so many different opinions and solutions for remote access scenarios using IPSec. Is there any definitive consense of vendors? Is there still a fight between IPSec under or over L2TP and IPSec with Xauth? Or, who won the battle? The enduser must be really confused rather more than me. What will be the future technology for a secure RAS??? Perhaps my own proprietary protocol??? ;-) I wonder if you could tell me, who is using which protocol? And what do you think will be the technology used in the future? Thanks Christian P.S.: I am very interested in your opinion, because I would like to collect some ideas about IPSec RAS for my thesis. From owner-ietf-xauth Fri Mar 30 06:09:23 2001 Received: by above.proper.com (8.9.3/8.9.3) id GAA16535 for ietf-xauth-bks; Fri, 30 Mar 2001 06:09:23 -0800 (PST) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA16531 for ; Fri, 30 Mar 2001 06:09:22 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA15101; Fri, 30 Mar 2001 06:08:15 -0800 (PST) Received: from stephanent3 (ott-b1-dhcp-10-85-28-184.cisco.com [10.85.28.184]) by toque.cisco.com (Mirapoint) with SMTP id AAW05461; Fri, 30 Mar 2001 09:08:14 -0500 (EST) Message-ID: <0dd001c0b923$1c1a1840$b81c550a@cisco.com> From: "Stephane Beaulieu" To: "Christian Franzen" , , , "Owner-Ipsec" References: Subject: Re: confuzius Date: Fri, 30 Mar 2001 09:10:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Christian, Well, you're right to be confused. Some people use Xauth, some use L2TP, some use both. The IETF's IPSRA working group is also working on yet another completely different proposal. Each of the proposals has its own merits, and is better suited for different types of VPN deployment. I doubt you'll see anything change in the near future, as the IPSRA working group is moving very slowly. Your best bet would be to go with a vendor that supports both XAUTH and L2TP (a.k.a Cisco ;) Stephane. ----- Original Message ----- From: "Christian Franzen" To: ; ; "Owner-Ipsec" Sent: Thursday, March 29, 2001 7:13 PM Subject: confuzius > Hi, > > while I was checking todays market on CeBit this week, I got confused by so > many different opinions and solutions for remote access scenarios using > IPSec. Is there any definitive consense of vendors? > > Is there still a fight between IPSec under or over L2TP and IPSec with > Xauth? Or, who won the battle? The enduser must be really confused rather > more than me. What will be the future technology for a secure RAS??? Perhaps > my own proprietary protocol??? ;-) > > I wonder if you could tell me, who is using which protocol? And what do you > think will be the technology used in the future? > > Thanks > Christian > > P.S.: I am very interested in your opinion, because I would like to collect > some ideas about IPSec RAS for my thesis. > From owner-ietf-xauth Mon Apr 2 09:18:42 2001 Received: by above.proper.com (8.9.3/8.9.3) id JAA28929 for ietf-xauth-bks; Mon, 2 Apr 2001 09:18:42 -0700 (PDT) Received: from brahma.roc.com ([202.54.67.218]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA28920 for ; Mon, 2 Apr 2001 09:18:37 -0700 (PDT) Received: from roc (5net76.roc.com [172.16.5.76]) by brahma.roc.com (8.8.5/8.8.5) with SMTP id VAA11680 for ; Mon, 2 Apr 2001 21:55:27 +0530 (IST) Message-Id: <200104021625.VAA11680@brahma.roc.com> X-Sender: vamsi@172.16.1.10 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Mon, 02 Apr 2001 21:48:03 +0530 To: ietf-xauth@vpnc.org From: Vamsi Subject: XAUTH_STATUS attribue Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id JAA28922 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, 1)In which scenarios can a Ipsec Host send the XAUTH_STATUS attribute set to fail? 2)I have noticed in one product that it is sending the XAUTH_STATUS attribute in ISAKMP-CFG-ACK message and the value is '0'.So should i disacard that XAUTH_STATUS attribute or else should I take any action? bye ************************************************************** Wealth is lost            Nothing is lost Health is lost            Something is lost Character is lost      Everything is lost **************************************************************** From owner-ietf-xauth Tue Apr 3 06:28:10 2001 Received: by above.proper.com (8.9.3/8.9.3) id GAA28520 for ietf-xauth-bks; Tue, 3 Apr 2001 06:28:10 -0700 (PDT) Received: from brahma.roc.com ([202.54.67.218]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA28507 for ; Tue, 3 Apr 2001 06:28:06 -0700 (PDT) Received: from roc (5net76.roc.com [172.16.5.76]) by brahma.roc.com (8.8.5/8.8.5) with SMTP id TAA02590 for ; Tue, 3 Apr 2001 19:04:46 +0530 (IST) Message-Id: <200104031334.TAA02590@brahma.roc.com> X-Sender: vamsi@172.16.1.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 03 Apr 2001 18:57:02 +0530 To: ietf-xauth@vpnc.org From: Vamsi Subject: IV Generation Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id GAA28514 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, Once after the completion of Transaction Exchange for Xauth then I have a question regarding the generation of IV which will be used in QuickMode. Should I use the the result of encryption/decryption of the last ciphertext block of the phase 1 message for the genration of IV which is used in quickMode or else should I consider result of encryption/decryption of the last ciphertext block of the Transaction Exchange message(last cipher text block of ISAKMP-CFG-ACK) for the generation of IV which will be used in QuickMode? bye vamsi ************************************************************** Wealth is lost            Nothing is lost Health is lost            Something is lost Character is lost      Everything is lost **************************************************************** From owner-ietf-xauth Tue Apr 3 06:51:20 2001 Received: by above.proper.com (8.9.3/8.9.3) id GAA01737 for ietf-xauth-bks; Tue, 3 Apr 2001 06:51:20 -0700 (PDT) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA01731 for ; Tue, 3 Apr 2001 06:51:19 -0700 (PDT) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id GAA01552; Tue, 3 Apr 2001 06:46:36 -0700 (PDT) Received: from stephanent3 (ott-b1-dhcp-10-85-28-184.cisco.com [10.85.28.184]) by toque.cisco.com (Mirapoint) with SMTP id ABH04599; Tue, 3 Apr 2001 09:46:35 -0400 (EDT) Message-ID: <125701c0bc44$bf1f9550$b81c550a@cisco.com> From: "Stephane Beaulieu" To: , "Vamsi" References: <200104031334.TAA02590@brahma.roc.com> Subject: Re: IV Generation Date: Tue, 3 Apr 2001 09:48:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > Hi, > > > Once after the completion of Transaction Exchange for Xauth then I have a > question regarding the generation of IV which will be used in QuickMode. > Should I use the the result of encryption/decryption of the last ciphertext > block of the phase 1 message for the genration of IV which is used in > quickMode or else should I consider result of encryption/decryption of the > last ciphertext block of the Transaction Exchange message(last cipher text > block of ISAKMP-CFG-ACK) for the generation of IV which will be used in > QuickMode? Follow the same rule as you would for any other "phase 2" exchange, such as Config-Mode, Quick Mode, New Group Mode. The IV derivation is based of the last ciphertext block of the phase 1 message. > > bye > vamsi > > > > > > ************************************************************** > Wealth is lost Nothing is lost > Health is lost Something is lost > Character is lost Everything is lost > > **************************************************************** From owner-ietf-xauth Tue Apr 3 06:49:20 2001 Received: by above.proper.com (8.9.3/8.9.3) id GAA01647 for ietf-xauth-bks; Tue, 3 Apr 2001 06:49:20 -0700 (PDT) Received: from sj-msg-core-3.cisco.com (sj-msg-core-3.cisco.com [171.70.157.152]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA01643 for ; Tue, 3 Apr 2001 06:49:18 -0700 (PDT) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-3.cisco.com (8.9.3/8.9.1) with ESMTP id GAA04509; Tue, 3 Apr 2001 06:43:16 -0700 (PDT) Received: from stephanent3 (ott-b1-dhcp-10-85-28-184.cisco.com [10.85.28.184]) by toque.cisco.com (Mirapoint) with SMTP id ABH04555; Tue, 3 Apr 2001 09:44:33 -0400 (EDT) Message-ID: <125001c0bc44$76a72f40$b81c550a@cisco.com> From: "Stephane Beaulieu" To: , "Vamsi" References: <200104021625.VAA11680@brahma.roc.com> Subject: Re: XAUTH_STATUS attribue Date: Tue, 3 Apr 2001 09:46:19 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > Hi, > 1)In which scenarios can a Ipsec Host send the XAUTH_STATUS attribute set > to fail? Any time you want to I suppose. We do it when the user aborts the connection in the middle of an XAUTH transaction. > 2)I have noticed in one product that it is sending the XAUTH_STATUS > attribute in ISAKMP-CFG-ACK message and the value is '0'.So should i > disacard that XAUTH_STATUS attribute or else should I take any action? That depends on how strict you want your code to be. Mode-cfg says it must return the zero length attribute that is being ACK'd. So, technically it is wrong. > > bye > > > > ************************************************************** > Wealth is lost Nothing is lost > Health is lost Something is lost > Character is lost Everything is lost > > **************************************************************** From owner-ietf-xauth Tue Apr 3 11:54:05 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id LAA25615 for ietf-xauth-bks; Tue, 3 Apr 2001 11:54:05 -0700 (PDT) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA25610 for ; Tue, 3 Apr 2001 11:54:04 -0700 (PDT) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id LAA12309 for ; Tue, 3 Apr 2001 11:53:40 -0700 (PDT) Received: from stephanent3 (ott-b1-dhcp-10-85-28-184.cisco.com [10.85.28.184]) by toque.cisco.com (Mirapoint) with SMTP id ABI01612; Tue, 3 Apr 2001 14:53:35 -0400 (EDT) Message-ID: <006101c0bc6f$a269ac40$b81c550a@cisco.com> From: "Stephane Beaulieu" To: Subject: Fw: I-D ACTION:draft-beaulieu-ike-xauth-01.txt Date: Tue, 3 Apr 2001 14:55:15 -0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_005C_01C0BC4E.17C4D360" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 x-mimeole: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_005C_01C0BC4E.17C4D360 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit FYI ----- Original Message ----- From: To: Sent: Tuesday, April 03, 2001 7:51 AM Subject: I-D ACTION:draft-beaulieu-ike-xauth-01.txt > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > > Title : Extended Authentication within IKE (XAUTH) > Author(s) : S. Beaulieu, R. Pereira > Filename : draft-beaulieu-ike-xauth-01.txt > Pages : 20 > Date : 02-Apr-01 > > [IKE] allows a device to set up a secure session by using a > bidirectional authentication method using either pre-shared keys or > digital certificates. However [IKE] does not provide a method to > leverage legacy authentication methods which are widely deployed > today. > This document describes a method for using existing unidirectional > authentication mechanisms such as RADIUS, SecurID, and OTP within > IPSec's ISAKMP protocol. The purpose of this draft is not to > replace or enhance the existing authentication mechanisms described > in [IKE], but rather to allow them to be extended using legacy > authentication mechanisms. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-beaulieu-ike-xauth-01.txt > > Internet-Drafts are also available by anonymous FTP. Login with the username > "anonymous" and a password of your e-mail address. After logging in, > type "cd internet-drafts" and then > "get draft-beaulieu-ike-xauth-01.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-beaulieu-ike-xauth-01.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > ------=_NextPart_000_005C_01C0BC4E.17C4D360 Content-Type: application/octet-stream; name="ATT00087.dat" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ATT00087.dat" Content-Type: text/plain Content-ID: <20010402124435.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-beaulieu-ike-xauth-01.txt ------=_NextPart_000_005C_01C0BC4E.17C4D360 Content-Type: text/plain; name="draft-beaulieu-ike-xauth-01.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="draft-beaulieu-ike-xauth-01.txt" Content-Type: text/plain Content-ID: <20010402124435.I-D@ietf.org> ------=_NextPart_000_005C_01C0BC4E.17C4D360-- From owner-ietf-xauth Fri May 4 06:32:11 2001 Received: by above.proper.com (8.9.3/8.9.3) id GAA14305 for ietf-xauth-bks; Fri, 4 May 2001 06:32:11 -0700 (PDT) Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA14033; Fri, 4 May 2001 06:30:32 -0700 (PDT) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-4.cisco.com (8.11.3/8.9.1) with ESMTP id f44DU8Q13312; Fri, 4 May 2001 06:30:08 -0700 (PDT) Received: from stephanent3 (ott-b1-dhcp-10-85-28-184.cisco.com [10.85.28.184]) by toque.cisco.com (Mirapoint) with SMTP id ADW00930; Fri, 4 May 2001 09:30:01 -0400 (EDT) Message-ID: <0f7601c0d49e$90447260$b81c550a@cisco.com> From: "Stephane Beaulieu" To: "Scott G. Kelly" , "Henry Spencer" Cc: , References: <3AF1C4B0.3ACCAE89@redcreek.com> Subject: XAUTH Bashing (was Re: Results of protocol straw poll) Date: Fri, 4 May 2001 09:31:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi All, I know this is not the proper forum to discuss Xauth issues, but someone else raised them, so I will politely respond, and encourage any further comments on Xauth, or more specifically its implementation details or security concerns (those that are VALID at least) to be discussed on ietf-xauth@vpnc.org "Scott G. Kelly" wrote: > > It is clear that xauth is trivially susceptible to DoS attacks, among > other things, and that should be a strong incentive against implementing > it. Scott, You often wildly make these kinds of allegations against XAUTH, yet you've never demonstrated or discussed the rationale behind them. Would you care to share these with me please (preferably on the ietf-xauth@vpnc.org mailing list). I think it is important that you do this, because, for some reason, some people actually believe you, and then they send me emails asking when I'm going to fix these problems in the draft. Of, course, I have no idea what they are talking about. DoS attacks? Please explain. This is the first of heard of it. P.S. Just to make my position clear on Xauth (w/regards to this WG). Even though I am the author, I don't think that Xauth is the best solution for this problem. I think the models of Hybrid or CRACK are much better than all the other candidates. I specifically prefer Hybrid because it will allow me to re-use much of the code base I already have. Hybrid is actually VERY trivial once you already have Xauth. Stephane. From owner-ietf-xauth Fri May 4 07:16:22 2001 Received: by above.proper.com (8.9.3/8.9.3) id HAA18541 for ietf-xauth-bks; Fri, 4 May 2001 07:16:22 -0700 (PDT) Received: from relay2.nai.com (relay2.nai.com [161.69.3.67]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA18534 for ; Fri, 4 May 2001 07:16:20 -0700 (PDT) Received: from scwsout1.nai.com (webshield2.nai.com [161.69.3.73]) by relay2.nai.com (8.9.3/8.9.3) with SMTP id HAA29690 for ; Fri, 4 May 2001 07:16:02 -0700 (PDT) Received: FROM ca-ex-bridge1.nai.com BY scwsout1.nai.com ; Fri May 04 07:16:05 2001 -0700 Received: by dns-23.dhcp-5.nai.com with Internet Mail Service (5.5.2653.19) id ; Fri, 4 May 2001 07:16:03 -0700 Message-ID: <8894CA1F87A5D411BD24009027EE78381280BE@md-exchange1.nai.com> From: "Mason, David" To: "'Stephane Beaulieu'" , "Scott G. Kelly" , Henry Spencer Cc: ietf-xauth@vpnc.org Subject: RE: XAUTH Bashing (was Re: Results of protocol straw poll) Date: Fri, 4 May 2001 07:15:43 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Additionally, the argument that XAuth is bad because it adds complexity to IKE seems rather weak. Consider the mechanism to provide remote access authentication using legacy methods as a closed system. Adding that support adds complexity to the system. Different solutions will add different amounts of complexity, but all solutions add complexity. Having implemented Hybrid/XAuth, it didn't really seem to add that much complexity to the existing code base: a couple of new entries in the state machine table and a separate module to process and construct the packets related to those states. With Hybrid/XAuth, the result requires two entities to provide the security: the legacy system and IKE. The other alternatives would seem to add just as much complexity to the system (more in my opinion) and require three entities to provide the security: the legacy system, the alternate proposal, and IKE. Fewer entities would be a good thing in my opinion. -dave -----Original Message----- From: Stephane Beaulieu [mailto:stephane@cisco.com] Sent: Friday, May 04, 2001 9:32 AM To: Scott G. Kelly; Henry Spencer Cc: ietf-ipsra@vpnc.org; ietf-xauth@vpnc.org Subject: XAUTH Bashing (was Re: Results of protocol straw poll) Hi All, I know this is not the proper forum to discuss Xauth issues, but someone else raised them, so I will politely respond, and encourage any further comments on Xauth, or more specifically its implementation details or security concerns (those that are VALID at least) to be discussed on ietf-xauth@vpnc.org "Scott G. Kelly" wrote: > > It is clear that xauth is trivially susceptible to DoS attacks, among > other things, and that should be a strong incentive against implementing > it. Scott, You often wildly make these kinds of allegations against XAUTH, yet you've never demonstrated or discussed the rationale behind them. Would you care to share these with me please (preferably on the ietf-xauth@vpnc.org mailing list). I think it is important that you do this, because, for some reason, some people actually believe you, and then they send me emails asking when I'm going to fix these problems in the draft. Of, course, I have no idea what they are talking about. DoS attacks? Please explain. This is the first of heard of it. P.S. Just to make my position clear on Xauth (w/regards to this WG). Even though I am the author, I don't think that Xauth is the best solution for this problem. I think the models of Hybrid or CRACK are much better than all the other candidates. I specifically prefer Hybrid because it will allow me to re-use much of the code base I already have. Hybrid is actually VERY trivial once you already have Xauth. Stephane. From owner-ietf-xauth Wed May 30 08:00:46 2001 Received: by above.proper.com (8.9.3/8.9.3) id IAA11375 for ietf-xauth-bks; Wed, 30 May 2001 08:00:46 -0700 (PDT) Received: from relay2.nai.com (relay2.nai.com [161.69.3.67]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA11368 for ; Wed, 30 May 2001 08:00:41 -0700 (PDT) Received: from scwsout1.nai.com (undef-3-73.nai.com [161.69.3.73] (may be forged)) by relay2.nai.com (8.9.3/8.9.3) with SMTP id KAA26937 for ; Wed, 30 May 2001 10:00:12 -0500 (CDT) Received: FROM ca-ex-bridge1.nai.com BY scwsout1.nai.com ; Wed May 30 07:59:30 2001 -0700 Received: by dns-23.dhcp-5.nai.com with Internet Mail Service (5.5.2653.19) id ; Wed, 30 May 2001 08:00:02 -0700 Message-ID: <8894CA1F87A5D411BD24009027EE783812810B@md-exchange1.nai.com> From: "Mason, David" To: "'Stephane Beaulieu'" , ietf-xauth@vpnc.org Subject: RE: I-D ACTION:draft-beaulieu-ike-xauth-01.txt Date: Wed, 30 May 2001 07:59:34 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: In section 6.2 shouldn't the type for the XAUTH-NEXT-PIN attribute be Variable ASCII string (instead of just Variable which implies a binary value)? Also in section 6.2 should it be noted under the description of the XAUTH-CHALLENGE attribute that this attribute SHOULD NOT be used with the Generic (explicit and/or implied) XAUTH-TYPE? (or perhaps MUST NOT). -dave From owner-ietf-xauth Thu May 31 10:02:53 2001 Received: by above.proper.com (8.9.3/8.9.3) id KAA11418 for ietf-xauth-bks; Thu, 31 May 2001 10:02:53 -0700 (PDT) Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA11408 for ; Thu, 31 May 2001 10:02:46 -0700 (PDT) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-1.cisco.com (8.11.3/8.9.1) with ESMTP id f4VH2H900393; Thu, 31 May 2001 10:02:17 -0700 (PDT) Received: from stephanent3 (ott-b1-dhcp-10-85-28-135.cisco.com [10.85.28.135]) by toque.cisco.com (Mirapoint) with SMTP id AAG08232; Thu, 31 May 2001 13:02:16 -0400 (EDT) Message-ID: <03ae01c0e9f3$a440d190$871c550a@cisco.com> From: "Stephane Beaulieu" To: "Mason, David" , References: <8894CA1F87A5D411BD24009027EE783812810B@md-exchange1.nai.com> Subject: Re: I-D ACTION:draft-beaulieu-ike-xauth-01.txt Date: Thu, 31 May 2001 13:03:40 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Dave, Correct on both counts. I'll update the draft after the next fun-filled IETF. Regards, Stephane. ----- Original Message ----- From: "Mason, David" To: "'Stephane Beaulieu'" ; Sent: Wednesday, May 30, 2001 10:59 AM Subject: RE: I-D ACTION:draft-beaulieu-ike-xauth-01.txt > In section 6.2 shouldn't the type for the XAUTH-NEXT-PIN attribute be > Variable ASCII string (instead of just Variable which implies a binary > value)? > > Also in section 6.2 should it be noted under the description of the > XAUTH-CHALLENGE attribute that this attribute SHOULD NOT be used with the > Generic (explicit and/or implied) XAUTH-TYPE? (or perhaps MUST NOT). > > -dave From owner-ietf-xauth Thu Jun 7 05:24:58 2001 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id FAA27085 for ietf-xauth-bks; Thu, 7 Jun 2001 05:24:58 -0700 (PDT) Received: from michael.checkpoint.com (michael.checkpoint.com [199.203.73.68]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA27073 for ; Thu, 7 Jun 2001 05:24:50 -0700 (PDT) Received: from kaveret (localhost [127.0.0.1]) by michael.checkpoint.com (8.9.3/8.9.1) with SMTP id PAA22253 for ; Thu, 7 Jun 2001 15:24:18 +0300 (IDT) Reply-To: From: "Tamir Zegman" To: Subject: FW: I-D ACTION:draft-zegman-ike-hybrid-auth-00.txt Date: Thu, 7 Jun 2001 15:24:45 +0200 Message-ID: <002c01c0ef55$38727e20$6a8d96d4@checkpoint.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_002D_01C0EF65.FBFB4E20" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_002D_01C0EF65.FBFB4E20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Attached is the latest version of Hybrid. Note that the I-D name as well as version number has changed. Tamir. -----Original Message----- From: nsyracus@cnri.reston.va.us [mailto:nsyracus@cnri.reston.va.us]On Behalf Of Internet-Drafts@ietf.org Sent: Thu, June 07, 2001 1:07 PM To: IETF-Announce: Subject: I-D ACTION:draft-zegman-ike-hybrid-auth-00.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : A Hybrid Authentication Mode for IKE Author(s) : M. Litvin, R. Shamir, T. Zegman Filename : draft-zegman-ike-hybrid-auth-00.txt Pages : 10 Date : 06-Jun-01 This document describes a set of new authentication methods to be used within Phase 1 of the Internet Key Exchange (IKE). The proposed methods assume an asymmetry between the authenticating entities. One entity, typically an Edge Device (e.g. firewall), authenticates using standard public key techniques (in signature mode), while the other entity, typically a remote User, authenticates using challenge response techniques. These authentication methods are used to establish, at the end of Phase 1, an IKE SA which is unidirectionally authenticated. To make this IKE bi-directionally authenticated, this Phase 1 is immediately followed by an X-Auth Exchange [XAUTH]. The X-Auth Exchange is used to authenticate the remote User. The use of these authentication methods is referred to as Hybrid Authentication mode. This proposal is designed to provide a solution for environments where a legacy authentication system exists, yet a full public key infrastructure is not deployed. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-zegman-ike-hybrid-auth-00.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-zegman-ike-hybrid-auth-00.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-zegman-ike-hybrid-auth-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. ------=_NextPart_000_002D_01C0EF65.FBFB4E20 Content-Type: Message/External-body; name="ATT00022.dat" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ATT00022.dat" Content-Type: text/plain Content-ID: <20010606100958.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-zegman-ike-hybrid-auth-00.txt ------=_NextPart_000_002D_01C0EF65.FBFB4E20 Content-Type: Message/External-body; name="draft-zegman-ike-hybrid-auth-00.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="draft-zegman-ike-hybrid-auth-00.txt" Content-Type: text/plain Content-ID: <20010606100958.I-D@ietf.org> ------=_NextPart_000_002D_01C0EF65.FBFB4E20-- From owner-ietf-xauth Fri Sep 28 06:06:29 2001 Received: by above.proper.com (8.11.6/8.11.3) id f8SD6TX04984 for ietf-xauth-bks; Fri, 28 Sep 2001 06:06:29 -0700 (PDT) Received: from brahma.roc.com ([202.56.196.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8SD6ND04980 for ; Fri, 28 Sep 2001 06:06:25 -0700 (PDT) Received: from vineet.roc.com (5net200.roc.com [172.16.5.200]) by brahma.roc.com (8.9.3/8.8.7) with SMTP id SAA08137 for ; Fri, 28 Sep 2001 18:28:52 +0530 Message-ID: <029f01c1481e$9f9d7600$c80510ac@roc.com> Reply-To: "vineet" From: "vineet" To: Subject: Query! Date: Fri, 28 Sep 2001 18:38:09 +0530 Organization: Intoto MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_029C_01C1484C.B8E7D500" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_029C_01C1484C.B8E7D500 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I have to implement NT Domaoin Authentication to add it as one of = Authenticaiotn type Under Xauth. I'm facing some problems, listed as = below: 1. Authentication is successful only when "NT LM 0.12" is selected as = protocol by NT server among various protocol in the proposal. But when I = force it to select other protocol such as "LM1.2X002" authentication is = failed. 2. What value must be given to XAUTH TYPE for this authentication type. Any suggestion in this regard would be of great help to me. Regards Vineet K Agarwal ------=_NextPart_000_029C_01C1484C.B8E7D500 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
I have to implement NT Domaoin = Authentication to=20 add it as one of Authenticaiotn type Under Xauth. I'm facing some = problems,=20 listed as below:
1. Authentication is successful only = when "NT LM=20 0.12" is selected as protocol by NT server among various protocol in the = proposal. But when I force it to select other protocol such as = "LM1.2X002"=20 authentication is failed.
2. What value must be given to XAUTH = TYPE for this=20 authentication type.
 
Any suggestion in this regard would be = of great=20 help to me.
 
Regards

Vineet K = Agarwal
------=_NextPart_000_029C_01C1484C.B8E7D500-- From owner-ietf-xauth Tue Oct 30 23:25:23 2001 Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9V7PNV07829 for ietf-xauth-bks; Tue, 30 Oct 2001 23:25:23 -0800 (PST) Received: from brahma.roc.com ([202.56.196.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9V7PH807805 for ; Tue, 30 Oct 2001 23:25:18 -0800 (PST) Received: from 172 (5net60.roc.com [172.16.5.60]) by brahma.roc.com (8.9.3/8.8.7) with SMTP id MAA13802 for ; Wed, 31 Oct 2001 12:49:30 +0530 Message-ID: <007101c161dd$00c8a260$3c0510ac@16.5.60.brahma.roc.com> From: "vamsi" To: Subject: Xauth -New Group Mode Date: Wed, 31 Oct 2001 12:53:56 +0530 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_006E_01C1620B.1A1C2920" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_006E_01C1620B.1A1C2920 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I have some doubts about Xauth with New Group Mode. My question is=20 What is the appropriate position for New group Mode exchange when Xauth is implemented along with New Group Mode =20 a)should New Group Mode occur after phase1 and before Xauth? b)should New Group Mode occur after completion of both phase1 and = Xauth.? regards vamsi ------=_NextPart_000_006E_01C1620B.1A1C2920 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
I have  some doubts about = Xauth with New=20 Group Mode.
My = question is=20
What is the appropriate position for = New=20 group
 Mode exchange when Xauth is = implemented along=20 with New Group Mode 
  a)should New Group Mode occur = after phase1=20 and before Xauth?
  b)should New Group Mode = occur after=20 completion of both phase1 and Xauth.?
 
regards
   = vamsi
------=_NextPart_000_006E_01C1620B.1A1C2920-- From owner-ietf-xauth Wed Oct 31 05:51:24 2001 Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9VDpON17073 for ietf-xauth-bks; Wed, 31 Oct 2001 05:51:24 -0800 (PST) Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9VDpM817069 for ; Wed, 31 Oct 2001 05:51:22 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.208.153]) by sj-msg-core-4.cisco.com (8.11.3/8.9.1) with ESMTP id f9VDpIT27409; Wed, 31 Oct 2001 05:51:18 -0800 (PST) Received: from stephanent3 (ott-b1-dhcp-10-85-28-131.cisco.com [10.85.28.131]) by toque.cisco.com (Mirapoint) with SMTP id AAB17140; Wed, 31 Oct 2001 08:50:28 -0500 (EST) Message-ID: <042a01c16213$57b1b810$831c550a@cisco.com> From: "Stephane Beaulieu" To: "vamsi" , References: <007101c161dd$00c8a260$3c0510ac@16.5.60.brahma.roc.com> Subject: Re: Xauth -New Group Mode Date: Wed, 31 Oct 2001 08:52:55 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0427_01C161E9.6EC038D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0427_01C161E9.6EC038D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Since New Group Mode can be used to increase or decrease the strength of = future DH exchanges, I think it would be wise to do NG mode after XAUTH. = XAUTH is a second phase of authentication meant to authenticate the = user. All authentication must be completed before any exchanges = (exception of phase 1 exchanges of course) can take place. ----- Original Message -----=20 From: vamsi=20 To: ietf-xauth@vpnc.org=20 Sent: Wednesday, October 31, 2001 2:23 AM Subject: Xauth -New Group Mode Hi, I have some doubts about Xauth with New Group Mode. My question is=20 What is the appropriate position for New group Mode exchange when Xauth is implemented along with New Group Mode =20 a)should New Group Mode occur after phase1 and before Xauth? b)should New Group Mode occur after completion of both phase1 and = Xauth.? regards vamsi ------=_NextPart_000_0427_01C161E9.6EC038D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Since New Group Mode can be used to = increase or=20 decrease the strength of future DH exchanges, I think it would be wise = to do NG=20 mode after XAUTH.  XAUTH is a second phase of authentication meant = to=20 authenticate the user.  All authentication must be completed before = any=20 exchanges (exception of phase 1 exchanges of course) can take=20 place.
 
 
----- Original Message -----
From:=20 vamsi=20
Sent: Wednesday, October 31, = 2001 2:23=20 AM
Subject: Xauth -New Group = Mode

Hi,
I have  some doubts about = Xauth with=20 New Group Mode.
My = question is=20
What is the appropriate position for = New=20 group
 Mode exchange when Xauth is = implemented=20 along with New Group Mode 
  a)should New Group Mode occur = after phase1=20 and before Xauth?
  b)should New Group Mode = occur after=20 completion of both phase1 and Xauth.?
 
regards
  =20 vamsi
------=_NextPart_000_0427_01C161E9.6EC038D0-- From owner-ietf-xauth Mon Feb 25 11:55:54 2002 Received: by above.proper.com (8.11.6/8.11.3) id g1PJts907181 for ietf-xauth-bks; Mon, 25 Feb 2002 11:55:54 -0800 (PST) Received: from exchange.colubris.com (gate.colubris.com [206.162.167.230]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g1PJtq307177 for ; Mon, 25 Feb 2002 11:55:52 -0800 (PST) Received: from colubris.com ([192.168.30.124] RDNS failed) by exchange.colubris.com with Microsoft SMTPSVC(5.0.2195.3779); Mon, 25 Feb 2002 14:52:21 -0500 Message-ID: <3C7A96CC.4AAE834A@colubris.com> Date: Mon, 25 Feb 2002 14:55:56 -0500 From: Martin Gadbois Organization: Colubris Networks X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.20 i686) X-Accept-Language: en MIME-Version: 1.0 To: ietf-xauth@vpnc.org Subject: Question about timeout and XAUTH. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 25 Feb 2002 19:52:21.0984 (UTC) FILETIME=[F0752E00:01C1BE35] Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello! While waiting for the user to enter a password when the edge device sent ATTR(NAME="", PASSWORD=""), what should be the timeout requirement to wait for a valid answer? Resending packets after 10 seconds leads for the movianVPN and PGPnet clients to re-ask several times the password, once per retry. I suggest to specify explicitly a mechanism to differentiate between retries and a new exchange, possibly based on the Attribute Payload Identifier. ( If Identifier == previous, this is a retry. Drop if waiting for user to enter password) Regards, -- ============== Martin Gadbois S/W Developper Colubris Networks Inc. From owner-ietf-xauth Mon Feb 25 12:08:58 2002 Received: by above.proper.com (8.11.6/8.11.3) id g1PK8wb07633 for ietf-xauth-bks; Mon, 25 Feb 2002 12:08:58 -0800 (PST) Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g1PK8u307627 for ; Mon, 25 Feb 2002 12:08:56 -0800 (PST) Received: from toque.cisco.com (toque.cisco.com [161.44.201.11]) by sj-msg-core-4.cisco.com (8.11.3/8.9.1) with ESMTP id g1PK8ot00627; Mon, 25 Feb 2002 12:08:50 -0800 (PST) Received: from stephanent3 (dhcp-kta1-161-44-192-54.cisco.com [161.44.192.54]) by toque.cisco.com (Mirapoint) with SMTP id AAO06617; Mon, 25 Feb 2002 15:05:53 -0500 (EST) Message-ID: <087101c1be38$8ee2aa70$36c02ca1@cisco.com> From: "Stephane Beaulieu" To: "Martin Gadbois" , References: <3C7A96CC.4AAE834A@colubris.com> Subject: Re: Question about timeout and XAUTH. Date: Mon, 25 Feb 2002 15:11:06 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: If the Message ID is the same, then it is the same exchange. Although, there can still be several different ATTR(NAME="", PASSWORD="") sent within one XAUTH transaction, so relying on that alone is still not full-proof. I think most IKE implementations just use a HASH of the last received IKE packet to tell the difference between a new packet, and a retransmit. You may also want to scale back your retransmit timers in the case of XAUTH. For example instead of retransmitting 3 times, every 10 seconds (total of 30 seconds) before you consider the attempt failed, you may want to scale that back to 5 times, every 30 seconds (total of 2:30). Or even better, do an exponential backoff. ----- Original Message ----- From: "Martin Gadbois" To: Sent: Monday, February 25, 2002 2:55 PM Subject: Question about timeout and XAUTH. > > Hello! > > While waiting for the user to enter a password when the edge device sent > ATTR(NAME="", PASSWORD=""), what should be the timeout requirement to > wait for a valid answer? > > Resending packets after 10 seconds leads for the movianVPN and PGPnet > clients to re-ask several times the password, once per retry. > I suggest to specify explicitly a mechanism to differentiate between > retries and a new exchange, possibly based on the Attribute Payload > Identifier. ( If Identifier == previous, this is a retry. Drop if > waiting for user to enter password) > > Regards, > > > -- > ============== > Martin Gadbois > S/W Developper > Colubris Networks Inc. > > > From owner-ietf-xauth Thu Oct 24 10:36:21 2002 Received: (from majordomo@localhost) by above.proper.com (8.11.6/8.11.3) id g9OHaLP17026 for ietf-xauth-bks; Thu, 24 Oct 2002 10:36:21 -0700 (PDT) Received: from trilmail.funk.com (26-71-51-66.reonbroadband.com [66.51.71.26]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g9OHaJW17021 for ; Thu, 24 Oct 2002 10:36:20 -0700 (PDT) Received: by trilmail.funk.com with Internet Mail Service (5.5.2653.19) id ; Thu, 24 Oct 2002 13:33:43 -0400 Message-ID: <605BFAC48B20D34F8923E47EB3F8E86E0220EA@trilmail.funk.com> From: Steve Vernick To: "'ietf-xauth@vpnc.org'" Subject: Seeking Security Gateways that send CHAP, MS-CHAP or MS-CHAPv2 ch allenge Date: Thu, 24 Oct 2002 13:33:37 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Greetings. Do you know of XAUTH-capable security gateways that send a RADIUS-CHAP challenge to the client? We have found only one, the NetScreen 5XP. Do you know of gateways that use MS-CHAP or MS-CHAPv2 for the challenge/response? If you do know of such gateways, could you please reply with the manufacturer's names and, if possible, model numbers? Thank you much. /Steve Steven Vernick, Principal Software Engineer Funk Software, Inc. 1732 Main Street, Suite 101 Concord, MA 01742 USA Voice: 978-371-3980 (x124) Fax: 978-371-3990 email: svernick@funk.com http://www.funk.com From owner-ietf-xauth Fri Sep 10 02:49:21 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i8A9nKSd054049; Fri, 10 Sep 2004 02:49:20 -0700 (PDT) (envelope-from owner-ietf-xauth@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i8A9nKoo054048; Fri, 10 Sep 2004 02:49:20 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-xauth@mail.vpnc.org using -f Received: from smail3.alcatel.fr (smail3.alcatel.fr [64.208.49.56]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i8A9nJq5054006 for ; Fri, 10 Sep 2004 02:49:20 -0700 (PDT) (envelope-from Hill.Rutyer@alcatel.co.uk) Received: from gbmail01.netfr.alcatel.fr (gbmail01.netfr.alcatel.fr [155.132.182.170]) by smail3.alcatel.fr (ALCANET/NETFR) with ESMTP id i8A9nEVD013109 for ; Fri, 10 Sep 2004 11:49:14 +0200 Subject: OATH support in XAUTH on firewalls To: ietf-xauth@vpnc.org X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001 Message-ID: From: Hill.Rutyer@alcatel.co.uk Date: Fri, 10 Sep 2004 10:49:06 +0100 X-MIMETrack: Serialize by Router on GBMAIL01/GB/ALCATEL(Release 5.0.11 |July 24, 2002) at 09/10/2004 10:49:13 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii X-Alcanet-MTA-scanned-and-authorized: yes Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi there I have just joined the list and so am unaware of the progress of many items that would have been covered in this list If there are now standardisation which are supported by all major vendors it would be interesting to know Can anyone tell which if any firewalls support OATH token authentication in XAUTH on IKEv1 Can anyone also tell me any information available on the likely implementation of IKEv2 by any major firewall vendors all help on ike and XAUTH support by firewall vendrs is much appreciated Many thanks in advance Kind Regards Hill Ruyter From owner-ietf-xauth Fri Sep 10 06:14:48 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i8ADEmPC089623; Fri, 10 Sep 2004 06:14:48 -0700 (PDT) (envelope-from owner-ietf-xauth@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i8ADEmfr089622; Fri, 10 Sep 2004 06:14:48 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-xauth@mail.vpnc.org using -f Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i8ADElQW089587 for ; Fri, 10 Sep 2004 06:14:47 -0700 (PDT) (envelope-from stephane@cisco.com) Received: from sj-core-1.cisco.com (171.71.177.237) by sj-iport-5.cisco.com with ESMTP; 10 Sep 2004 06:15:13 -0700 X-BrightmailFiltered: true Received: from mira-kan-a.cisco.com (IDENT:mirapoint@mira-kan-a.cisco.com [161.44.201.17]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id i8ADEW8J000451; Fri, 10 Sep 2004 06:14:32 -0700 (PDT) Received: from stephanew2k02 (dhcp-kta1-161-44-192-56.cisco.com [161.44.192.56]) by mira-kan-a.cisco.com (MOS 3.4.6-GR) with ESMTP id ACZ99512; Fri, 10 Sep 2004 06:07:44 -0700 (PDT) Reply-To: From: "Stephane Beaulieu" To: , Subject: RE: OATH support in XAUTH on firewalls Date: Fri, 10 Sep 2004 09:07:44 -0400 Message-ID: <02af01c49737$29948050$ea1c550a@amer.cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.5709 In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4939.300 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Hill, No, XAUTH is not standardized for IKEv1, and never will be. Cisco does support it in IOS, PIX, VPN3000, and Client applications. Cisco PIX firewall supports native SDI token authentication, and any other tokens that can be proxy'd via RADIUS. IKEv2 will be supported in IOS and PIX sometime in 2005 (dates not finalized). Regards, Stephane. > -----Original Message----- > From: owner-ietf-xauth@mail.vpnc.org > [mailto:owner-ietf-xauth@mail.vpnc.org] On Behalf Of > Hill.Rutyer@alcatel.co.uk > Sent: Friday, September 10, 2004 5:49 AM > To: ietf-xauth@vpnc.org > Subject: OATH support in XAUTH on firewalls > > > > > Hi there > > I have just joined the list and so am unaware of the progress > of many items that would have been covered in this list If > there are now standardisation which are supported by all > major vendors it would be interesting to know > > Can anyone tell which if any firewalls support OATH token > authentication in XAUTH on IKEv1 > > Can anyone also tell me any information available on the > likely implementation of IKEv2 by any major firewall vendors > > all help on ike and XAUTH support by firewall vendrs is much > appreciated > > Many thanks in advance > > Kind Regards > Hill Ruyter > > > From owner-ietf-xauth Sun Nov 28 00:21:27 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id iAS8LRSs071727; Sun, 28 Nov 2004 00:21:27 -0800 (PST) (envelope-from owner-ietf-xauth@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id iAS8LRbT071725; Sun, 28 Nov 2004 00:21:27 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-xauth@mail.vpnc.org using -f Received: from innosoft.com (xcaynyk@[165.194.16.20]) by above.proper.com (8.12.11/8.12.9) with ESMTP id iAS8LJPf071457 for ; Sun, 28 Nov 2004 00:21:26 -0800 (PST) (envelope-from chris.newman@innosoft.com) Received: from security12 (security12 [165.194.16.20]) by security12 (8.12.8p1/8.12.8) with ESMTP id i09K6Auw025944 for ; Sun, 28 Nov 2004 17:21:45 +0900 (envelope-from chris.newman@innosoft.com) Message-Id: <000301c4d56e$bc370de0$1410c2a5@security12> X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software From: chris.newman@innosoft.com To: ietf-xauth@vpnc.org Subject: Hey! Date: Sun, 28 Nov 2004 17:21:45 +0900 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0000_01C4D56E.BC370DE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C4D56E.BC370DE0 Content-Type: text/html; charset="iso-8859-" Content-Transfer-Encoding: quoted-printable Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam photos!

See you!




------=_NextPart_000_0000_01C4D56E.BC370DE0-- From owner-ietf-xauth Wed Dec 8 20:27:19 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id iB94RJFO043300; Wed, 8 Dec 2004 20:27:19 -0800 (PST) (envelope-from owner-ietf-xauth@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id iB94RJEK043299; Wed, 8 Dec 2004 20:27:19 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-xauth@mail.vpnc.org using -f Received: from sookmyung.ac.kr ([165.194.16.95]) by above.proper.com (8.12.11/8.12.9) with ESMTP id iB94RHYR043273 for ; Wed, 8 Dec 2004 20:27:18 -0800 (PST) (envelope-from rhee@sookmyung.ac.kr) Received: from security12 (security12 [165.194.16.95]) by security12 (8.12.8p1/8.12.8) with ESMTP id i39M7Rnj056743 for ; Thu, 9 Dec 2004 13:31:57 +0900 (envelope-from rhee@sookmyung.ac.kr) Message-Id: <000501c4ddf3$747ac1d0$5f10c2a5@security12> X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software From: rhee@sookmyung.ac.kr To: ietf-xauth@vpnc.org Subject: Hey! Date: Thu, 9 Dec 2004 13:31:57 +0900 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0002_01C4DDF3.747AC1D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 Sender: owner-ietf-xauth@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0002_01C4DDF3.747AC1D0 Content-Type: text/html; charset="iso-8859-" Content-Transfer-Encoding: quoted-printable Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam photos!

See you!




------=_NextPart_000_0002_01C4DDF3.747AC1D0--