| Re: [Issue 252] Query regarding currentId in eap-statemachine-03 | <– Date –> <– Thread –> |
From: Nick Petroni (npetroni cs.umd.edu)
|
|
| Date: Thu, 8 Jul 2004 11:09:43 -0400 (EDT) | |
Suresh,
IMHO this is not a problem with the state machine. The situation you have
described, whereby only two values are used for the identifier, is
completely allowable in EAP. Section 4.1 of RFC 3748 states the following:
Identifier
The Identifier field is one octet. The Identifier field MUST be
the same if a Request packet is retransmitted due to a timeout
while waiting for a Response. Any new (non-retransmission)
Requests MUST modify the Identifier field.
The Identifier field of the Response MUST match that of the
currently outstanding Request. An authenticator receiving a
Response whose Identifier value does not match that of the
currently outstanding Request MUST silently discard the Response.
In order to avoid confusion between new Requests and
retransmissions, the Identifier value chosen for each new Request
need only be different from the previous Request, but need not be
unique within the conversation. One way to achieve this is to
start the Identifier at an initial value and increment it for each
new Request. Initializing the first Identifier with a random
number rather than starting from zero is recommended, since it
makes sequence attacks somewhat more difficult.
Since the Identifier space is unique to each session,
authenticators are not restricted to only 256 simultaneous
authentication conversations. Similarly, with re-authentication,
an EAP conversation might continue over a long period of time, and
is not limited to only 256 roundtrips.
As you can see, each message simply needs a different Identifier from the
previous message, so alternation is quite ok. Furthermore, the situation
you have described is the running of multiple instances of the EAP state
machine for the purposes of 802.1X reauthentication. Technically these
values repeat, but only among different "runs" of EAP. The range of 0-255
the POSSIBLE values of the identifier field, you are explicitly not
guaranteed to use all values or prevent collision among runs.
Unless I am missing something in your question I would like to propose we
reject the comment as an Issue with the SM.
Best,
nick
Nick L. Petroni, Jr.
Graduate Student, Computer Science
Maryland Information Systems Security Lab
University of Maryland
http://www.cs.umd.edu/~npetroni
On Thu, 24 Jun 2004, Suresh Babu wrote:
>
> Hi friends,
>
> I had the follwing doubt.
>
> When starting(initializing) the state machine,the currentid is
> initialized to NONE.
> After successful reauthentication in MD5 case it goes to 1, and sends a
> success packet
> with id=1, When the reAuthWhen timer expires in 802.1x layer, it reaches
> RESTART state and sets eapRestart to TRUE, So to move to CONNCTING state we
> had make eapRestart as FALSE, This is set by eap-statemachine. so again
> currentId becomes NONE.
> So under what conditions currentid can have 0-255 values, here i`m able
> get only
> 0-1. How to get around of this problem?
> Thanx in Advance,
> Suresh Babu
>
>
> ---------------------------------
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
-
Query regarding currentId in eap-statemachine-03 Suresh Babu, June 24 2004
- Re: [Issue 252] Query regarding currentId in eap-statemachine-03 Nick Petroni, July 8 2004
- Re: [Issue 252] Query regarding currentId in eap-statemachine-03 Jari Arkko, July 24 2004
Results generated by Tiger Technologies using MHonArc.