Project

General

Profile

Issue #3037

Support of fast re-authentication feature

Added by Leela Mohan Peruboina 4 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Normal
Category:
configuration
Affected version:
5.7.1
Resolution:

Description

Dear Tobias Brunner,

Can you please support for fast re-authentication feature verification

In source code, eap-simaka-reauth eap-simaka-pseudonym plugins are enabled as below in path strongswan/Android.mk

strongswan_CHARON_PLUGINS := x509 openssl ctr fips-prf random nonce pubkey \
pkcs1 pkcs8 pem xcbc hmac kernel-netlink socket-default \
stroke updown eap-identity eap-sim eap-aka eap-simaka-reauth eap-simaka-pseudonym eap-mschapv2 eap-md5 eap-gtc xauth-generic attr resolve android-log \
revocation curl android-log

But UE does not use identities received from network

04-23 12:29:26.677 14571 14579 I charon : 08[LIB] [card_set_pseudonym() 172] storing pseudonym '2LVxGOsMJHj1kBI9yR9ZGqBuHZH4jRSGqQtVG+6rRr/kcqk=' for ''
04-23 12:29:26.677 14571 14579 I charon : 08[LIB] [card_set_reauth() 216] storing next reauthentication identity '4LVxa5apfiddpmA3+M5T/vozumEWD1FEcJZZc3RIS2NhnOU=' for ''

1. Do let us know whether any other plug ins are required ?
2. Is it possible to share working log of fast re-authentication ?

Your feedback will be helpful

Thank you.
Leela Mohan P

History

#1 Updated by Tobias Brunner 4 months ago

  • Category changed from libcharon to configuration
  • Status changed from New to Feedback

But UE does not use identities received from network

What do you mean? The log you posted is from the initial authentication, when it receives the identities that should be used later during a reauthenticaiton. Note, however, that these plugins don't store the identities in a persistent way. So they won't be used for the next authentication in the Android app after the connection has been terminated (all libraries, i.e. the daemon and plugins, are deinitialized when that happens).

1. Do let us know whether any other plug ins are required ?

You might have to write your own, or change the existing ones, if you want to store the identities in a persistent way.

2. Is it possible to share working log of fast re-authentication ?

I don't have one, sorry.

#2 Updated by Leela Mohan Peruboina 4 months ago

Dear Tobias Brunner,

To support fast re-authentication does network has to support aurth life time like below

6747 6758 I /system/bin/charon: 07[ENC] [parse_body() 2088] parsed IKE_AUTH response 4 [ AUTH CPRP (16384)) N(SET_WINSIZE) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
6747 6758 I /system/bin/charon: 07[IKE] [set_auth_lifetime() 2304] received AUTH_LIFETIME of 7200s, scheduling reauthentication in 3600s

Please provide your feedback

Thank you.

#3 Updated by Tobias Brunner 4 months ago

To support fast re-authentication does network has to support aurth life time like below

No. The identities, if available, are used for any later (re-)authentication whether that's triggered by an AUTH_LIFETIME notify, local configuration, or is a completely new connection. However, as I mentioned above, the plugins only store these in-memory, so the identities are not available after a restart of the daemon, or reinitialization of the libraries/plugins (as happens in the Android app).

#4 Updated by Leela Mohan Peruboina 4 months ago

Dear Tobias Brunner,

Thank you for quick feedback.

Does Strongswan v5.7.1 has complete solution/feature for fast reauthentication ?

#5 Updated by Tobias Brunner 4 months ago

Does Strongswan v5.7.1 has complete solution/feature for fast reauthentication ?

What do you mean? What do you consider "complete"?

#6 Updated by Leela Mohan Peruboina 3 months ago

Dear Tobias Brunner,

As you mentioned that plug-ins can only store identities in memory and are not available after a restart of daemon etc.
Does it mean that whoever want to develop fast re-auth feature has to handle storing those identities ?
Can you explain with example, how those identities can be stored ?
Does this kind of mechanism (storing values from plug-ins) already available for any values/identities ?

Please provide your valuable feedback

Thank you.
Leela Mohan P

#7 Updated by Tobias Brunner 3 months ago

Does it mean that whoever want to develop fast re-auth feature has to handle storing those identities ?

If they want to do that in a permanent way, yes.

Can you explain with example, how those identities can be stored ?

Just look at the existing plugins and write a plugin (or adapt the existing ones) to store the identities in any way you want.

Does this kind of mechanism (storing values from plug-ins) already available for any values/identities ?

Not related to this, but there are other plugins that store identities or chunks to e.g. files or a database (e.g. coupling or sql-attr). The %Y printf-specifier can be used to get a string representation, and using get_type()/get_encoding() gets you the type and raw binary value.

Just the usual disclaimer: strongSwan and its plugins are licensed under the GPLv2, if you need a commercial license, please feel free to contact us via email.

Also available in: Atom PDF