[Swan] RFC-5998 confusion, was Re: Failed to match authenticator

Yaron Sheffer yaronf.ietf at gmail.com
Thu Jan 19 22:50:42 UTC 2017 

Hi John, Paul,

I'm not clear about several points in your mail below.

- As far as I can see, RFC 5998 doesn't mention KE payloads at all. So 
it's legitimate for a responder to choke upon receiving message #3 with 
this payload.

- RFC 5998 does assume, perhaps implicitly, that the responder speaks 
EAP. What it is adding is a transition into certificate-less 
authentication for cases where EAP performs mutual authentication. In 
fact, a responder that doesn't do normal IKE+EAP (RFC 7296, Sec. 2.16) 
would reject a normal EAP-based exchange because of the missing AUTH 
payload, regardless of RFC 5998.

Given this assumption, I don't think that the paragraph you're quoting 
is in error.

Thanks,
	Yaron

On 19/01/17 08:44, Paul Wouters wrote:
> On Tue, 17 Jan 2017, John Crisp wrote:
>
> [ Re-added the list as it might be interesting for others as well ]
>
> [ John gave me a big log file to look at ]
>
> [ Added Yaron Sheffer because he is the author of RFC 5998 so he
>   can tell me if I should file an ERRATA or not ]
>
>
>> This is a connection from Opnsense using FreeBSD strongSwan
>> U5.51/K10.3-RELEASE-p14
>
> So it looks like that strongswan connection is trying to use
> an EAP-only authentication message. So no certificates and no
> preshared key. libreswan does not support EAP or EAP-only
> authentication. So this connection will fail or it will fallback
> to regular IKE_AUTH.
>
> This is defined in https://tools.ietf.org/html/rfc5998
>
> We can see this because we receive:
>
> Jan 17 01:11:18: |    Notify Message Type: v2N_EAP_ONLY_AUTHENTICATION
> (0x4021)
>
> However, the RFC states:
>
>    If the responder does not support the EAP_ONLY_AUTHENTICATION
>    notification or does not wish to use it, it ignores the notification
>    payload, and includes the AUTH payload in message 4.  In this case,
>    the initiator MUST verify that payload and any associated
>    certificates, as per [RFC4306].
>
>    When receiving message 4, the initiator MUST verify that the proposed
>    EAP method is allowed by this specification, and MUST abort the
>    protocol immediately otherwise.
>
> However, for this fallback to work, libreswan should send a regular AUTH
> payload ignoring the EAP_ONLY_AUTHENTICATION. It did not do that. We
> can see why it did not do this:
>
> Jan 17 01:11:18: "TestToWorkMain"[2] 213.123.128.243 #5: payload(s)
> (ISAKMP_NEXT_v2KE) unexpected. Message dropped.
>
> If you look at section 3 of RFC-5998, you can see that even with
> EAP_ONLY_AUTHENTICATION, the only Exchange where KE payloads are
> exchanged is in IKE_INIT (message 1 and 2, see the KEi and KEr payloads)
> It is rejecting IKE_AUTH exchange packets with a KE payload in it.
>
> So libreswan is still correct that finding a KE payload in an IKE_AUTH
> Exchange is wrong and the packet should be rejected.
>
> But I am still confused. Let's for a second assume the bad KE payload
> is not there or we would just ignore it. It still would not be able to
> do the fallback described in the RFC.
>
> What is supposed to happen if libreswan (responder) wants to do the
> fallback to normal AUTH. Since the initiator's IKE_AUTH packet is not
> supposed to contain an AUTH payload, libreswan can never authenticate it,
> so it will always send an IKE_AUTH error response at best.
>
> So one might assume RFC-5998 is wrong. And that this is why strongswan
> still sends an AUTH payload in the IKE_AUTH exchange, even if it is
> configured with EAP_ONLY_AUTHENTICATION. To allow the fallback to
> succeed.
>
> Jan 17 01:11:18: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH)
>
> The AUTH payload sent by strongswan is for PSK. It would have matched
> the libreswan configuration for authentication (which John also send me)
>
> Paul

More information about the Swan mailing list