From owner-freebsd-net  Thu May  9 17:15:15 2002
Delivered-To: freebsd-net@freebsd.org
Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26])
	by hub.freebsd.org (Postfix) with ESMTP id 8CFA437B417
	for <freebsd-net@FreeBSD.ORG>; Thu,  9 May 2002 17:15:02 -0700 (PDT)
Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20])
	by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id QAA34922;
	Thu, 9 May 2002 16:57:39 -0700 (PDT)
Received: (from archie@localhost)
	by arch20m.dellroad.org (8.11.6/8.11.6) id g49Nvb204332;
	Thu, 9 May 2002 16:57:37 -0700 (PDT)
	(envelope-from archie)
From: Archie Cobbs <archie@dellroad.org>
Message-Id: <200205092357.g49Nvb204332@arch20m.dellroad.org>
Subject: Re: mpd-netgraph problem.
In-Reply-To: <20020509164557.A28528@dogberry.braithwaite.net>
 "from Matthew Braithwaite at May 9, 2002 04:45:57 pm"
To: Matthew Braithwaite <matt@braithwaite.net>
Date: Thu, 9 May 2002 16:57:37 -0700 (PDT)
Cc: Archie Cobbs <archie@dellroad.org>, dgilbert@velocet.ca,
	freebsd-net@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL88 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Matthew Braithwaite writes:
> > So that's screwey if you're doing MPPE encryption because which
> > authentication do you use to generate the MPPE keys?? Apparently
> > we are using the wrong one. In any case, we can't use the first
> > one because we'd need the yes/no response to generate MPPE keys
> > from CHAP MSOFTv2 authentication.
> 
> Let me see if I understand: a key used in CHAP authentication is also
> used for MPPE.  However, I authenticate twice, once using CHAP MSOFTv2
> and once using CHAP MSOFTv2 -- and you think mpd is choosing the MPPE
> key from the wrong one of these two authentications?

Once using MSOFTv2 and then a second time using MSOFTv1.
According to RFC 3079, you should generate the keys from
the first authentication. However, this is impossible because
your server is never completing that authentication.

> Is there a way to fix this in mpd?  According to the manual you *have*
> to use CHAP MSOFTv2 to use MPPE, so I'd think it'd be okay to
> categorically ignore -- for MPPE purposes -- any key obtained through
> a CHAP MSOFTv1 authentication.

The manual is wrong; you can generate keys from MSOFTv1 or MSOFTv2.
See RFC 3079.

> Can I force mpd to speak *only* CHAP MSOFTv2?  I don't find any such
> option in the manual, unfortunately.

No, that needs to be added...

-Archie

__________________________________________________________________________
Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message