[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: [ADs] Re: RFC 5090 -- draft-ietf-radext-rfc4590bis -- Re: Problem with fixes to Appendix A

To: "Beck01, Wolfgang" <BeckW@t-systems.com>, <rfc-editor@rfc-editor.org>, <Baruch.Sterman@Kayote.com>, <dromasca@avaya.com>, <rbonica@juniper.net>, <radiusext@ops.ietf.org>
Subject: Re: AW: [ADs] Re: RFC 5090 -- draft-ietf-radext-rfc4590bis -- Re: Problem with fixes to Appendix A
From: <Bernard_Aboba@hotmail.com>
Date: Tue, 29 Jan 2008 09:50:46 -0800
Cc: <dschwartz@xconnect.net>, <mikem@open.com.au>, <david.schwartz@xconnect.net>, <dscreat@dscreat.com>, <dwilli@cisco.com>, <dromasca@avaya.com>, <rbonica@juniper.net>, <d.b.nelson@comcast.net>
In-reply-to: <D83105B2AC38794CB78ADA2959F2C44F20B294@S4DE9JSAACY.ost.t-com.de>
References: <D83105B2AC38794CB78ADA2959F2C44F20B294@S4DE9JSAACY.ost.t-com.de>

Can the authors huddle and figure this out? We really do want to get thetest vectors right before publishing RFC 5090.


--------------------------------------------------
From: "Beck01, Wolfgang" <BeckW@t-systems.com>
Sent: Tuesday, January 29, 2008 6:12 AM

To: <rfc-editor@rfc-editor.org>; <Baruch.Sterman@Kayote.com>;<dromasca@avaya.com>; <rbonica@juniper.net>Cc: <dschwartz@xconnect.net>; <bernard_aboba@hotmail.com>;<mikem@open.com.au>; <david.schwartz@xconnect.net>; <dscreat@dscreat.com>;<dwilli@cisco.com>; <dromasca@avaya.com>; <rbonica@juniper.net>;<d.b.nelson@comcast.net>Subject: AW: [ADs] Re: RFC 5090 -- draft-ietf-radext-rfc4590bis -- Re:Problem with fixes to Appendix A

I hate to say it, but there are still bugs in the examples.

In the Access-Request with id 0x7d, I calculate a Digest-Response of
958ce2c45980c79bd91c3044f32be6da
and a Message-Authenticator of
92A87E1C88BD9573958327C656094634

For the corresponding Access-Accept, I get an Authenticator of
F237371FFDBFE48CBD9F63D25086B004
a Digest-Response-Auth of
1e2e26caa5611b083e201778485fb394
and a Message Authenticator of
51C3078093B3C5C15FACF27A27E7BE0A

In the Access-Request with id 0x7e, the diff version states a packet
length of 72. Summing up
20 Byte RADIUS header
6 Byte NAS-IP
6 Byte NAS-Port
5 Byte Digest-Method GET
13 Byte Digest-URI /index.html
18 Byte Message-Authenticator
---
68 Bytes, not 72.

My script comes up with a Message-Authenticator of690BFC95E88DF3B185F15CD78E469992


For the Access-Request with Id 0x7f, I calculate a
Digest-Response of
5af2aae88d01277b70c03865ced2abef
and a Message-Authenticator of
904890FD52DA0DEDF400B8CABD7A8642

For the Accesss-Accept of Id 0x7f, I get an Authenticator of
EB50D310D1649A0C3FCEBC2623422FCA
a Digest-Response-Auth of
0414c25df396d125d79380982de80516
and a Message-Authenticator of
08EBFB290D55EEA4BF8FB48405A16E55

For the packets with id 0x7c, I get the same values as in the rfc doc.

-----Ursprüngliche Nachricht-----
Von: RFC Editor [mailto:rfc-editor@rfc-editor.org]
Gesendet: Dienstag, 29. Januar 2008 02:38
An: Baruch Sterman; Dan Romascanu; Ronald Bonica
Cc: David Schwartz; Bernard Aboba; Beck, Wolfgang;
mikem@open.com.au; David Schwartz; dscreat@dscreat.com;
dwilli@cisco.com; Dan Romascanu; Ronald Bonica;
d.b.nelson@comcast.net; RFC Editor
Betreff: [ADs] Re: RFC 5090 -- draft-ietf-radext-rfc4590bis
-- Re: Problem with fixes to Appendix A


Greetings Dan and Ron,

Please review the changes in the Appendix below and let us
know if you approve.

Note that you can also review the changes to the Appendix in
the diff file located at:

   ftp://ftp.rfc-editor.org/in-notes/authors/rfc5090-last-diff.html

All of the authors have signed off on the document, and we
now await your approval before announcing the document.

Thank you.

RFC Editor


On Tue, Jan 15, 2008 at 08:35:36PM +0200, Baruch Sterman wrote:
> I hope this does it!
>
>
>
> Thanks to everyone.
>
>
>
>
>
> We would like to add at the top of the acknowledgements:
>
>
>
>       The authors would like to thank Mike McCauley for his help in
> working through the details of the examples.
>
>
>
>
>
> Here is the full version of examples. I highlighted places
where there
> are changes:
>
>
>
>
>
>    A->B
>
>
>
>       INVITE sip:97226491335@example.com SIP/2.0
>
>       From: <sip:12345678@example.com>
>
>       To: <sip:97226491335@example.com>
>
>
>
>    B->A
>
>
>
>       SIP/2.0 100 Trying
>
>
>
>    B->C
>
>
>
>       Code = Access-Request (1)
>
>       Packet identifier = 0x7c (124)
>
>       Length = 97
>
>       Authenticator = F5E55840E324AA49D216D9DBD069807C
>
>       NAS-IP-Address = 192.0.2.38
>
>       NAS-Port = 5
>
>       User-Name = 12345678
>
>       Digest-Method = INVITE
>
>       Digest-URI = sip:97226491335@example.com
>
>       Message-Authenticator = 7600D5B0BDC33987A60D5C6167B28B3B
>
>
>
>    C->B
>
>
>
>       Code = Access-challenge (11)
>
>       Packet identifier = 0x7c (124)
>
>       Length = 72
>
>       Authenticator = EBE20199C26EFEAD69BF8AB0E786CA4D
>
>       Digest-Nonce = 3bada1a0
>
>       Digest-Realm = example.com
>
>       Digest-Qop = auth
>
>       Digest-Algorithm = MD5
>
>       Message-Authenticator = 5DA18ED3BBC9513DCBDE0A37F51B7DE3
>
>
>
>    B->A
>
>
>
>       SIP/2.0 407 Proxy Authentication Required
>
>       Proxy-Authenticate: Digest realm="example.com"
>
>            ,nonce="3bada1a0",qop=auth,algorithm=MD5
>
>       Content-Length: 0
>
>
>
>    A->B
>
>
>
>       ACK sip:97226491335@example.com SIP/2.0
>
>
>
>    A->B
>
>
>
>       INVITE sip:97226491335@example.com SIP/2.0
>
>       Proxy-Authorization: Digest nonce="3bada1a0"
>
>            ,realm="example.com"
>
>            ,response="756933f735fcd93f90a4bbdd5467f263"
>
>            ,uri="sip:97226491335@example.com",username="12345678"
>
>            ,qop=auth,algorithm=MD5
>
>            ,cnonce="56593a80,nc="00000001"
>
>
>
>       From: <sip:12345678@example.com>
>
>       To: <sip:97226491335@example.com>
>
>
>
>    B->C
>
>
>
>       Code = Access-Request (1)
>
>       Packet identifier = 0x7d (125)
>
>       Length = 221
>
>       Authenticator = F5E55840E324AA49D216D9DBD069807D
>
>       NAS-IP-Address = 192.0.2.38
>
>       NAS-Port = 5
>
>       User-Name = 12345678
>
>       Digest-Method = INVITE
>
>       Digest-URI = sip:97226491335@example.com
>
>       Digest-Realm = example.com
>
>       Digest-Qop = auth
>
>       Digest-Algorithm = MD5
>
>       Digest-CNonce = 56593a80
>
>       Digest-Nonce = 3bada1a0
>
>       Digest-Nonce-Count = 00000001
>
>       Digest-Response = 756933f735fcd93f90a4bbdd5467f263
>
>       Digest-Username = 12345678
>
>       SIP-AOR = sip:12345678@example.com
>
>       Message-Authenticator = B6C7F7F8D11EF261A26933D234561A60
>
>
>
>    C->B
>
>
>
>       Code = Access-Accept (2)
>
>       Packet identifier = 0x7d (125)
>
>       Length = 72
>
>       Authenticator = FFDD74D6470D21CB6FC4D6056BE245D2
>
>       Digest-Response-Auth = f847de948d12285f8f4199e366f1af21
>
>       Message-Authenticator = 7B76E2F10A7067AF601938BF13B0A62E
>
>
>
>    B->A
>
>
>
>       SIP/2.0 180 Ringing
>
>
>
>    B->A
>
>
>
>       SIP/2.0 200 OK
>
>
>
>    A->B
>
>
>
>       ACK sip:97226491335@example.com SIP/2.0
>
>
>
>    A second example shows the traffic between a web browser
(A), a web
>
>    server (B), and a RADIUS server (C).
>
>
>
>    A->B
>
>
>
>       GET /index.html HTTP/1.1
>
>
>
>    B->C
>
>       Code = Access-Request (1)
>
>       Packet identifier = 0x7e (126)
>
>       Length = 78
>
>       Authenticator = F5E55840E324AA49D216D9DBD069807E
>
>       NAS-IP-Address = 192.0.2.38
>
>       NAS-Port = 5
>
>       Digest-Method = GET
>
>       Digest-URI = /index.html
>
>       Message-Authenticator = E4C3D52DD0472663B49A6623B52C2A67
>
>
>
>    C->B
>
>
>
>       Code = Access-challenge (11)
>
>       Packet identifier = 0x7e (126)
>
>       Length = 72
>
>       Authenticator = 2EE5EB01C02C773B6C6EC8515F565E8E
>
>       Digest-Nonce = a3086ac8
>
>       Digest-Realm = example.com
>
>       Digest-Qop = auth
>
>       Digest-Algorithm = MD5
>
>       Message-Authenticator = 646DB2B0AF9E72FFF2CF7FEB33C4952A
>
>
>
>    B->A
>
>
>
>       HTTP/1.1 401 Authentication Required
>
>       WWW-Authenticate: Digest realm="example.com",
>
>           nonce="a3086ac8",qop=auth,algorithm=MD5
>
>       Content-Length: 0
>
>
>
>    A->B
>
>
>
>       GET /index.html HTTP/1.1
>
>       Authorization: Digest algorithm=MD5,qop=auth,nonce="a3086ac8"
>
>            ,nc="00000001",cnonce="56593a80"
>
>            ,realm="example.com"
>
>            ,response="a4fac45c27a30f4f244c54a2e99fa117"
>
>            ,uri="/index.html",username="12345678"
>
>
>
>    B->C
>
>
>
>       Code = Access-Request (1)
>
>       Packet identifier = 0x7f (127)
>
>       Length = 176
>
>       Authenticator = F5E55840E324AA49D216D9DBD069807F
>
>       NAS-IP-Address = 192.0.2.38
>
>       NAS-Port = 5
>
>       User-Name = 12345678
>
>       Digest-Method = GET
>
>       Digest-URI = /index.html
>
>       Digest-Realm = example.com
>
>       Digest-Qop = auth
>
>       Digest-Algorithm = MD5
>
>       Digest-CNonce = 56593a80
>
>       Digest-Nonce = a3086ac8
>
>       Digest-Nonce-Count = 00000001
>
>       Digest-Response = a4fac45c27a30f4f244c54a2e99fa117
>
>       Digest-Username = 12345678
>
>       Message-Authenticator = 237D85C1478C70C67EEAF22A9C456821
>
>
>
>    C->B
>
>
>
>       Code = Access-Accept (2)
>
>       Packet identifier = 0x7f (127)
>
>       Length = 72
>
>       Authenticator = 6364FA6ED66012847C05A0895607C694
>
>       Digest-Response-Auth = 08c4e942d1d0a191de8b3aa98cd35147
>
>       Message-Authenticator = 43795A3166492AD2A890AD57D5F97D56
>
>
>
>    B->A
>
>
>
>       HTTP/1.1 200 OK
>
>       ...
>
>
>
>       <html>
>
>       ...
>
>
>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: RADEXT WG Last Call on Extended RADIUS Attributes Document
Next by Date: Question about RFC 2865
Previous by thread: Review of RADIUS Design Guidelines document
Next by thread: Question about RFC 2865
Index(es):
- Date
- Thread