eap Mailing List: Re: [Issue 252] Query regarding currentId in eap-statemachine-03

[Jari Arkko (jari.arkko]

Nick,

I agree with your assessment. I think we can reject
#252.

--Jari

Nick Petroni wrote:
> Suresh,
>
> IMHO this is not a problem with the state machine. The situation you have
> described, whereby only two values are used for the identifier, is
> completely allowable in EAP. Section 4.1 of RFC 3748 states the following:
>
>   Identifier
>
>       The Identifier field is one octet.  The Identifier field MUST be
>       the same if a Request packet is retransmitted due to a timeout
>       while waiting for a Response.  Any new (non-retransmission)
>       Requests MUST modify the Identifier field.
>
>       The Identifier field of the Response MUST match that of the
>       currently outstanding Request.  An authenticator receiving a
>       Response whose Identifier value does not match that of the
>       currently outstanding Request MUST silently discard the Response.
>
>       In order to avoid confusion between new Requests and
>       retransmissions, the Identifier value chosen for each new Request
>       need only be different from the previous Request, but need not be
>       unique within the conversation.  One way to achieve this is to
>       start the Identifier at an initial value and increment it for each
>       new Request.  Initializing the first Identifier with a random
>       number rather than starting from zero is recommended, since it
>       makes sequence attacks somewhat more difficult.
>
>       Since the Identifier space is unique to each session,
>       authenticators are not restricted to only 256 simultaneous
>       authentication conversations.  Similarly, with re-authentication,
>       an EAP conversation might continue over a long period of time, and
>       is not limited to only 256 roundtrips.
>
> As you can see, each message simply needs a different Identifier from the
> previous message, so alternation is quite ok. Furthermore, the situation
> you have described is the running of multiple instances of the EAP state
> machine for the purposes of 802.1X reauthentication. Technically these
> values repeat, but only among different "runs" of EAP. The range of 0-255
> the POSSIBLE values of the identifier field, you are explicitly not
> guaranteed to use all values or prevent collision among runs.
>
> Unless I am missing something in your question I would like to propose we
> reject the comment as an Issue with the SM.
>
> Best,
> nick
>
> Nick L. Petroni, Jr.
> Graduate Student, Computer Science
> Maryland Information Systems Security Lab
> University of Maryland
> http://www.cs.umd.edu/~npetroni
>
> On Thu, 24 Jun 2004, Suresh Babu wrote:
>
>
> > Hi friends,
> >
> > I had the follwing doubt.
> >
> >          When starting(initializing) the state machine,the currentid is 
> > initialized to NONE.
> > After successful reauthentication in MD5 case it goes to 1, and sends a success 
> > packet
> > with id=1, When the reAuthWhen timer expires in 802.1x layer, it reaches 
> > RESTART state and sets eapRestart to TRUE, So to move to CONNCTING state we had 
> > make eapRestart as FALSE,  This is set by eap-statemachine. so again currentId 
> > becomes NONE.
> >    So under what conditions  currentid can have 0-255 values, here i`m able get 
> > only
> > 0-1. How to get around of this problem?
> > Thanx in Advance,
> > Suresh Babu
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - Send 10MB messages!
>
>
>
>
> _______________________________________________
> eap mailing list
> eap [at] frascone.com
> http://mail.frascone.com/mailman/listinfo/eap