Hello, On Tue, Mar 09, 2021 at 02:41:43PM +0900, YASUOKA Masahiko wrote: > Hi, > > I looked into the ICCN packets you sent me separately. Its "Proxy Authen > Challenge" length is 31 and "Proxy Authen Type" is PPP CHAP. The > message seems to comply RFC 2661. > > Also what I said > >> It's for CHAP or MSCHAPv1. If MD5 is selected for PPP CHAP, the > >> challenge length for CHAP is 16 octet. The challenge for MSCHAPv1 is > >> also 8 octet, but npppd doesn't support MSCHAv1 anyway. So 24 must be > >> enough for RFC 2661. > > is false. Length of callenge is "independent of the hash algorithm". > > In RFC 1994 (PPP CHAP): > | The Challenge Value is a variable stream of octets. The > | importance of the uniqueness of the Challenge Value and its > | relationship to the secret is described above. The Challenge > | Value MUST be changed each time a Challenge is sent. The length > | of the Challenge Value depends upon the method used to generate > | the octets, and is independent of the hash algorithm used. > > it doesn't state the limit clearly. > > I suppose 24 had been long enough for many implementations, but > actually new Junipor is using 31-63 > > >> > Feb 8 11:42:53 edge9 npppd[86416]: l2tpd ctrl=5477 call=32713 Received > >> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 40 > 24 > >> > Feb 8 11:42:53 edge9 npppd[86416]: l2tpd ctrl=5477 call=32713 SendCDN > >> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none > >> > Feb 8 11:42:54 edge9 npppd[86416]: l2tpd ctrl=5477 call=29504 Received > >> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 62 > 24 > >> > Feb 8 11:42:54 edge9 npppd[86416]: l2tpd ctrl=5477 call=29504 SendCDN > >> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none > >> > Feb 8 11:43:01 edge9 npppd[86416]: l2tpd ctrl=5477 call=31527 Received > >> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 46 > 24 > >> > Feb 8 11:43:01 edge9 npppd[86416]: l2tpd ctrl=5477 call=31527 SendCDN > >> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none > >> > Feb 8 11:43:06 edge9 npppd[86416]: l2tpd ctrl=5477 call=1626 Received > >> > bad ICCN: Attribute value is too long PROXY_AUTHEN_CHALLENGE 63 > 24 > >> > Feb 8 11:43:06 edge9 npppd[86416]: l2tpd ctrl=5477 call=1626 SendCDN > >> > result=ERROR_CODE/2 error=WRONG_LENGTH/2 messsage=none > > So I suppose changing the following limit will solve the problem. > > #define MAX_CHALLENGE_LENGTH 24 > > Also I found a Junipor's document, > > > https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/challenge-length-edit-dynamic-profiles-chap.html > > the max challenge length can be configured 63 at the maximum. > > I'm thinking change the limit in npppd to 96.
I've completed testing a build of npppd with MAX_CHALLENGE_LENGTH set to 96: Index: npppd/ppp.h =================================================================== RCS file: /cvs/src/usr.sbin/npppd/npppd/ppp.h,v retrieving revision 1.21 diff -u -p -r1.21 ppp.h --- npppd/ppp.h 12 Aug 2017 11:20:34 -0000 1.21 +++ npppd/ppp.h 9 Mar 2021 19:17:33 -0000 @@ -82,7 +82,7 @@ #define MAX_USERNAME_LENGTH 256 #define MAX_PASSWORD_LENGTH 256 -#define MAX_CHALLENGE_LENGTH 24 +#define MAX_CHALLENGE_LENGTH 96 #define INADDR_IPCP_OBEY_REMOTE_REQ 0x00000000L With this in place, things are still working with our upstream's new equipment! This has also cleared up the "Proxy Authen Challenge is too long" errors from layer=chap, and our sessions consistently establish cleanly: Mar 8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=lcp dialin-proxy user=xxxx...@pppoe.example.com auth-type=MD5-CHAP renegotiate=no Mar 8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=base logtype=Started tunnel=L2TP(1.2.3.4:1701) Mar 8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=lcp logtype=Opened mru=1460/1460 auth=MD5-CHAP magic=xx55f2ac/xx65f7d0 Mar 8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=chap proto=chap logtype=Success username="xxxx...@pppoe.example.com" realm=PGS-DYNAMIC Mar 8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=ipcp IP Address peer=0.0.0.0 our=5.6.7.8. Mar 8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=ipcp logtype=Opened ip=5.6.7.8 assignType=dynamic Mar 8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=base logtype=TUNNELSTART user="xxxx...@pppoe.example.com" duration=0sec layer2=L2TP layer2from=1.2.3.4:1701 auth=MD5-CHAP ip=5.6.7.8 iface=pppac1 dialin_proxy=yes Mar 8 23:00:45 edge9 npppd[9258]: ppp id=27 layer=base Using pipex=yes Thank you again for your help and taking the time to look over the packet captures. -Ryan Ryan Freeman Senior Systems Administrator Uniserve Communications Suite 330 - 333 Terminal Avenue, Vancouver, BC V6A 4C1 Phone: 604.395.3905 Email: ryan.free...@uniserveteam.com www.uniserve.com
