Re: Question about timeout and XAUTH.

["Stephane Beaulieu" <stephane@xxxxxxxxx>]

If the Message ID is the same, then it is the same exchange.  Although,
there can still be several different ATTR(NAME="", PASSWORD="") sent within
one XAUTH transaction, so relying on that alone is still not full-proof.

I think most IKE implementations just use a HASH of the last received IKE
packet to tell the difference between a new packet, and a retransmit.

You may also want to scale back your retransmit timers in the case of XAUTH.
For example instead of retransmitting 3 times, every 10 seconds (total of 30
seconds) before you consider the attempt failed, you may want to scale that
back to 5 times, every 30 seconds (total of 2:30). Or even better, do an
exponential backoff.

----- Original Message -----
From: "Martin Gadbois" <martin.gadbois@xxxxxxxxxxxx>
To: <ietf-xauth@xxxxxxxx>
Sent: Monday, February 25, 2002 2:55 PM
Subject: Question about timeout and XAUTH.


>
> Hello!
>
> While waiting for the user to enter a password when the edge device sent
> ATTR(NAME="", PASSWORD=""), what should be the timeout requirement to
> wait for a valid answer?
>
> Resending packets after 10 seconds leads for the movianVPN and PGPnet
> clients to re-ask several times the password, once per retry.
> I suggest to specify explicitly a mechanism to differentiate between
> retries and a new exchange, possibly based on the Attribute Payload
> Identifier. ( If Identifier == previous, this is a retry. Drop if
> waiting for user to enter password)
>
> Regards,
>
>
> --
> ==============
> Martin Gadbois
> S/W Developper
> Colubris Networks Inc.
>
>
>