Hi Alan, Many thanks for your remark, I have transfered it to the EAP-PSK design team and they should come back to you by tomorrow after having studied the TTLS design you suggest.
However, when you say "If you want to convince people to use your system, re-using existing code & design is excellent practice", you seem quite unfair IMHO as the EAP-PSK attribute design is precisely inspired by the EAP-SIM AT-Identity attribute design (see http://www.ietf.org/internet-drafts/draft-haverinen-pppext-eap-sim-13.txt), namely see please section 7.8 page 55: "7.8 AT_IDENTITY The format of the AT_IDENTITY attribute is shown below. ... The use of the AT_IDENTITY is defined in Section 4.2. The value field of this attribute begins with 2-byte actual identity length, which specifies the length of the identity in bytes. This field is followed by the subscriber identity of the indicated actual length. The identity is the permanent identity, a pseudonym identity or a fast re-authentication identity. The identity format is specified in Section 4.2.1. The same identity format is used in the AT_IDENTITY attribute and the EAP-Response/Identity packet, with the exception that the peer MUST NOT decorate the identity it includes in AT_IDENTITY. The identity does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the identity with zero bytes when necessary." Anyway, thanks again for the piece of advice, BR, Aurelien --- Alan DeKok <[EMAIL PROTECTED]> a �crit�: > [EMAIL PROTECTED] wrote: > > > http://perso.rd.francetelecom.fr/bersani/EAP_PSK/EAP-PSK.htm > > We intend to publish the first EAP-PSK > implementation > > in the next weeks. > > PLEASE fix the protocol. PLEASE PLEASE fix the > protocol. > > ------ > 0 1 2 > 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 > 3 4 5 6 7 8 9 0 1 > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | AT_IDRES | Length | Actual > Identity Length | > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | > | > : Identity > : > : . > : > | > | > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > ... > > The identity does not include any terminating > null characters. > Because the length of the attribute must be a > multiple of 4 bytes, > the sender pads the identity with zero bytes when > necessary. > ---- > > The "actual identity length" field is NOT needed. > DELETE IT. > Having two lengths is a recipe for disaster. In > fact, inventing a new > attribute format is a waste of time. > > See the EAP-TTLS draft for examples of a better > attribute design. > It uses one length, padded fields, and there are NO > problems. > > The extra bytes sent in the packets by using > EAP-TTLS attributes > instead of your attribute design are *irrelevant*. > The code savings, > development time, maintenance, decreased bugs, and > decreased security > flaws caused by re-using existing code will be HUGE. > > e.g. You can steal the existing code in > rlm_eap_ttls/ttls.c to > create/parse the attributes. You can define > EAP-PSK-FOO attributes in > the dictionary, to re-use the existing VALUE_PAIR > data structures. > The savings will be *significant*. > > If you want to convince people to use your system, > re-using existing > code & design is excellent practice. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Cr�ez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis gr�ce � Yahoo! Messenger !T�l�chargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
