Re: [HOKEY] [IPsec] IKEv2 and ERP

Yoav Nir <ynir@checkpoint.com> Wed, 23 November 2011 08:05 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26CD911E8081; Wed, 23 Nov 2011 00:05:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYZjWsICxq7E; Wed, 23 Nov 2011 00:05:03 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id A568911E8073; Wed, 23 Nov 2011 00:04:49 -0800 (PST)
X-CheckPoint: {4ECCA88A-0-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id pAN83wjN032534; Wed, 23 Nov 2011 10:03:58 +0200
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 23 Nov 2011 10:03:58 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Wed, 23 Nov 2011 10:03:57 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "'Qin Wu'" <bill.wu@huawei.com>, Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Wed, 23 Nov 2011 10:03:56 +0200
Thread-Topic: [IPsec] IKEv2 and ERP
Thread-Index: Acyo7iqlHSBxI/huQtKEb09W4qA4XAAx98Pg
Message-ID: <006FEB08D9C6444AB014105C9AEB133F0179B226F941@il-ex01.ad.checkpoint.com>
References: <6205B3A8-4806-4F7A-B0CB-B9E36A744A37@checkpoint.com> <0A56F7B3-72CE-4274-AB68-7F24A366782B@checkpoint.com> <4EC8AF72.30206@gmail.com> <44C96308-32C8-4F02-B661-FDCA9029C274@checkpoint.com> <E4CD6969D2504339A962A9808C8F3B8A@china.huawei.com>
In-Reply-To: <E4CD6969D2504339A962A9808C8F3B8A@china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/related; boundary="_007_006FEB08D9C6444AB014105C9AEB133F0179B226F941ilex01adche_"; type="multipart/alternative"
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
Cc: IPsecme WG <ipsec@ietf.org>, "hokey@ietf.org" <hokey@ietf.org>
Subject: Re: [HOKEY] [IPsec] IKEv2 and ERP
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2011 08:05:04 -0000

Thanks, Qin

I wonder what the rationale is for this. Why would a phone that's already on the Internet connect to the visited network rather than the home network. Is that because of concerns about bandwidth and latency?

Anyway, is there a use case for ERP in those cases?

Yoav

________________________________
From: Qin Wu [mailto:bill.wu@huawei.com]
Sent: 22 November 2011 10:07
To: Yoav Nir; Yaron Sheffer
Cc: IPsecme WG; hokey@ietf.org
Subject: Re: [IPsec] IKEv2 and ERP

Hi,Yoav:
yes,I am do aware of other cases where IKE is used beyond the home network.
Here are two example use cases adopted by 3GPP.Thes two use cases only work for roaming scenario.
[cid:911590008@23112011-2C5B]
[cid:911590008@23112011-2C62]

In both use cases,IKE negotiation happens between WLAN UE and Packet Data Gateway(PDG) or Tunnel
Termination Gateway (TTG). Both PDG and TTG are deployed in 3GPP visited Network.

Also we have two cases where IKE is used with the home network belows. Both PDG and TTG are deployed
in the 3GPP home netwrok. These two cases only work for non-roaming scenario.
[cid:911590008@23112011-2C69]

[cid:911590008@23112011-2C70]


Regards!
-Qin
----- Original Message -----
From: Yoav Nir<mailto:ynir@checkpoint.com>
To: Yaron Sheffer<mailto:yaronf.ietf@gmail.com> ; Qin Wu<mailto:bill.wu@huawei.com>
Cc: IPsecme WG<mailto:ipsec@ietf.org> ; hokey@ietf.org<mailto:hokey@ietf.org>
Sent: Sunday, November 20, 2011 4:01 PM
Subject: Re: [IPsec] IKEv2 and ERP

Hi Yaron

Actually the motivation in my case is a smooth transition from a 802.1x local network, to remote access VPN on a 3GPP/WiMax public network and back, and this is a very enterprise network sort of thing. At the HOKEY meeting in QC there were some Telco people, and they didn't seem to think there was another use case.

I do remember the use case of doing IKE with EAP-SIM or EAP-AKA, but IIRC that was also the phone connecting to its home network over the Internet.

Qin: are you aware of cases where IKE is used with anything other than the home network?

Yoav

On Nov 20, 2011, at 9:42 AM, Yaron Sheffer wrote:

Hi Yoav,

motivation for this work seems to have come from 3GPP/3GPP2/WiMAX, and I strongly suggest that you or your coauthor go back to the originating organization to validate your use case(s).

I find the new paragraph (top of Sec. 3.2) confusing: I would expect the IKE negotiation to go to a local network (in the "visited network") with this gateway being supported by a "home" EAP server. EAP requests are commonly routed back into the home network. In a telco network, this backend EAP connectivity most likely would *not* be over the open Internet.

Lastly, judging by the level of interest so far, I do not see this draft becoming an ipsecme WG charter item. I do not have any problem with its being published elsewhere.

Thanks,
    Yaron

On 11/19/2011 02:07 PM, Yoav Nir wrote:

On Aug 6, 2011, at 10:37 PM, Yoav Nir wrote:



Hi

At the meeting in Quebec, I gave a presentation at the hokey meeting about http://tools.ietf.org/html/draft-nir-ipsecme-erx .

The draft covers using the EAP extensions for re-authentication in IKEv2. The obvious (to me) use-case is a phone connected to a 802.1x network. As you leave the building, the same phone automatically using IKEv2 over a 3G network without the user authenticating, by using the handed-over keys from 802.1x.

ERP (RFC 5296) works in two cases:
1. when the new AAA backend and the old AAA backend are the same, and
2. when they are different - you connect to a local EAP server

There is an open question here. Obviously, when you use EAP for 802.1x or PPP or some other network access, you often connect to a local Authenticator that is not the same as your "home network". But is this relevant in IKEv2?  IKEv2 is used over the Internet. Why would you ever want to connect to a server other than your home (or a server that relies on the same AAA backend)

In other words: is there a use-case for connecting to a local rather than a home server in IKE, a use-case that uses EAP.

My feeling is that the answer is no, and there were some phone operators in the room who agreed with me. Someone did bring up the case of host-to-host IPsec, but I don't think that ever uses EAP.

Does anybody have different thoughts about this?


(crickets)

As there were no replies to this email, and as there was pretty much an uncalled consensus at the HOKEY meeting, I have submitted version -02 of the draft with an extra paragraph in section 3.2 to explain that "roaming to a different EAP server" scenario is probably not relevant.

http://www.ietf.org/internet-drafts/draft-nir-ipsecme-erx-02

I would be happy for this to become a working group item, but if not, I would like to take it to our ADs (not sure which one, as this involves both IPsecME and HOKEY). I would also appreciate any suggestions for the Security Considerations section, other than just moving the rest of section 3.2 into it.

Yoav
_______________________________________________
IPsec mailing list
IPsec@ietf.org<mailto:IPsec@ietf.org>
https://www.ietf.org/mailman/listinfo/ipsec