[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: XAUTH Bashing (was Re: Results of protocol straw poll)

To: "'Stephane Beaulieu'" <stephane@xxxxxxxxx>, "Scott G. Kelly" <skelly@xxxxxxxxxxxx>, Henry Spencer <henry@xxxxxxxxxxxxx>
Subject: RE: XAUTH Bashing (was Re: Results of protocol straw poll)
From: "Mason, David" <David_Mason@xxxxxxx>
Date: Fri, 4 May 2001 07:15:43 -0700
Cc: ietf-xauth@xxxxxxxx
List-archive: <http://www.vpnc.org/ietf-xauth/mail-archive/>
List-id: <ietf-xauth.vpnc.org>
List-unsubscribe: <mailto:ietf-xauth-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-xauth@xxxxxxxxxxxxx

Additionally, the argument that XAuth is bad because it adds complexity to
IKE seems rather weak.  Consider the mechanism to provide remote access
authentication using legacy methods as a closed system.  Adding that support
adds complexity to the system.  Different solutions will add different
amounts of complexity, but all solutions add complexity.  Having implemented
Hybrid/XAuth, it didn't really seem to add that much complexity to the
existing code base:  a couple of new entries in the state machine table and
a separate module to process and construct the packets related to those
states.  With Hybrid/XAuth, the result requires two entities to provide the
security:  the legacy system and IKE.  The other alternatives would seem to
add just as much complexity to the system (more in my opinion) and require
three entities to provide the security:  the legacy system, the alternate
proposal, and IKE.  Fewer entities would be a good thing in my opinion.

-dave

-----Original Message-----
From: Stephane Beaulieu [mailto:stephane@xxxxxxxxx]
Sent: Friday, May 04, 2001 9:32 AM
To: Scott G. Kelly; Henry Spencer
Cc: ietf-ipsra@xxxxxxxx; ietf-xauth@xxxxxxxx
Subject: XAUTH Bashing (was Re: Results of protocol straw poll)

Hi All,

I know this is not the proper forum to discuss Xauth issues, but someone
else raised them, so I will politely respond, and encourage any further
comments on Xauth, or more specifically its implementation details or
security concerns (those that are VALID at least) to be discussed on
ietf-xauth@xxxxxxxx

"Scott G. Kelly" <skelly@xxxxxxxxxxxx> wrote:

>
> It is clear that xauth is trivially susceptible to DoS attacks, among
> other things, and that should be a strong incentive against implementing
> it.

Scott,
You often wildly make these kinds of allegations against XAUTH, yet you've
never demonstrated or discussed the rationale behind them.  Would you care
to share these with me please (preferably on the ietf-xauth@xxxxxxxx mailing
list).  I think it is important that you do this, because, for some reason,
some people actually believe you, and then they send me emails asking when
I'm going to fix these problems in the draft.  Of, course, I have no idea
what they are talking about.  DoS attacks?  Please explain.  This is the
first of heard of it.

P.S. Just to make my position clear on Xauth (w/regards to this WG).  Even
though I am the author, I don't think that Xauth is the best solution for
this problem.  I think the models of Hybrid or CRACK are much better than
all the other candidates.  I specifically prefer Hybrid because it will
allow me to re-use much of the code base I already have.  Hybrid is actually
VERY trivial once you already have Xauth.

Stephane.

Prev by Date: XAUTH Bashing (was Re: Results of protocol straw poll)
Next by Date: RE: I-D ACTION:draft-beaulieu-ike-xauth-01.txt
Previous by thread: XAUTH Bashing (was Re: Results of protocol straw poll)
Next by thread: FW: I-D ACTION:draft-zegman-ike-hybrid-auth-00.txt
Index(es):
- Date
- Thread