Re: [HOKEY] [IPsec] IKEv2 and ERP

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 20 November 2011 16:50 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4791221F8AC9; Sun, 20 Nov 2011 08:50:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NEyd3XbBrjG; Sun, 20 Nov 2011 08:50:57 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id C5D7B21F8876; Sun, 20 Nov 2011 08:50:56 -0800 (PST)
Received: by wwe5 with SMTP id 5so6920455wwe.13 for <multiple recipients>; Sun, 20 Nov 2011 08:50:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=5fJ03Gxn69jlAaOUVlX94r4/sKzMEHYFwTKQ+cZiCp4=; b=KIB/Y3OWnGKZJYRGWryOzfMnwmASjhLBsNwj32vbyiqfVcaAk6n8aFBGVzfNjGBLck 3lwjIlXqvkBnog85hVIE7dNkBSLt17CwFJmgKmyYGUHgugKWsovRGNx5vm/IHbBi6fZ6 POq2dLJjPV4EJiiBHF7gz+cN2w/YajVCFvbCk=
Received: by 10.216.185.136 with SMTP id u8mr1706057wem.89.1321807854418; Sun, 20 Nov 2011 08:50:54 -0800 (PST)
Received: from [192.168.7.159] (46-116-66-62.bb.netvision.net.il. [46.116.66.62]) by mx.google.com with ESMTPS id es5sm9330761wbb.11.2011.11.20.08.50.51 (version=SSLv3 cipher=OTHER); Sun, 20 Nov 2011 08:50:52 -0800 (PST)
Message-ID: <4EC92FEA.1090508@gmail.com>
Date: Sun, 20 Nov 2011 18:50:50 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <6205B3A8-4806-4F7A-B0CB-B9E36A744A37@checkpoint.com> <0A56F7B3-72CE-4274-AB68-7F24A366782B@checkpoint.com> <4EC8AF72.30206@gmail.com> <44C96308-32C8-4F02-B661-FDCA9029C274@checkpoint.com>
In-Reply-To: <44C96308-32C8-4F02-B661-FDCA9029C274@checkpoint.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Cc: IPsecme WG <ipsec@ietf.org>, "hokey@ietf.org" <hokey@ietf.org>
Subject: Re: [HOKEY] [IPsec] IKEv2 and ERP
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Nov 2011 16:50:58 -0000

I read the draft once again and I'm a bit more confused than before... 
Here are a few comments:

• The document should clarify what "ERX" means and how ERX relates to ERP.
• The first message of the protocol sequence in Sec. 3 ends with a 
comma. Is it missing a notification?
• "EAP_Initiate/Re-auth message replaces the IDi payload": Omitting IDi 
may or may not be the right decision (it modifies RFC 5996!), but in any 
case a rationale is needed. In order to not break IKEv2, the protocol 
could mandate that the same ID should be used at both levels, i.e. that 
IDi should be identical to the EAP-level identity. I realize that this 
is not ideal.
• The first paragraph of 3.2 is confusing: most deployments would 
probably use a single EAP server *even if* they use multiple IKE/IPsec 
gateways. Hence the last sentence of the paragraph should be dropped.
• More importantly: the issue of identifying the client (e.g. for the 
gateway to generate useful audit records) is important even for the 
"pure enterprise" use case of roaming from 802.11 to IPsec. 
Unfortunately the protocol is incomplete until/unless any of the methods 
defined in this section (e.g. transmitting the client's authorization 
group) is standardized. This is probably just a question of picking the 
right RADIUS TLV. Maybe just need to say that the Class attribute MUST 
be used. In other words, in the absence of IDi the gateway cannot make 
policy decisions even if only a single gateway is used!
• Sec. 4: how is the realm encoded? I think the correct answer is 
"ASCII, with no null termination".

Thanks,
Yaron

On 11/20/2011 10:01 AM, Yoav Nir wrote:
> Hi Yaron
>
> Actually the motivation in my case is a smooth transition from a 
> 802.1x local network, to remote access VPN on a 3GPP/WiMax public 
> network and back, and this is a very enterprise network sort of thing. 
> At the HOKEY meeting in QC there were some Telco people, and they 
> didn't seem to think there was another use case.
>
> I do remember the use case of doing IKE with EAP-SIM or EAP-AKA, but 
> IIRC that was also the phone connecting to its home network over the 
> Internet.
>
> Qin: are you aware of cases where IKE is used with anything other than 
> the home network?
>
> Yoav
>
> On Nov 20, 2011, at 9:42 AM, Yaron Sheffer wrote:
>
>> Hi Yoav,
>>
>> motivation for this work seems to have come from 3GPP/3GPP2/WiMAX, 
>> and I strongly suggest that you or your coauthor go back to the 
>> originating organization to validate your use case(s).
>>
>> I find the new paragraph (top of Sec. 3.2) confusing: I would expect 
>> the IKE negotiation to go to a local network (in the "visited 
>> network") with this gateway being supported by a "home" EAP server. 
>> EAP requests are commonly routed back into the home network. In a 
>> telco network, this backend EAP connectivity most likely would *not* 
>> be over the open Internet.
>>
>> Lastly, judging by the level of interest so far, I do not see this 
>> draft becoming an ipsecme WG charter item. I do not have any problem 
>> with its being published elsewhere.
>>
>> Thanks,
>> Yaron
>>
>> On 11/19/2011 02:07 PM, Yoav Nir wrote:
>>> On Aug 6, 2011, at 10:37 PM, Yoav Nir wrote:
>>>
>>>> Hi
>>>>
>>>> At the meeting in Quebec, I gave a presentation at the hokey meeting abouthttp://tools.ietf.org/html/draft-nir-ipsecme-erx  .
>>>>
>>>> The draft covers using the EAP extensions for re-authentication in IKEv2. The obvious (to me) use-case is a phone connected to a 802.1x network. As you leave the building, the same phone automatically using IKEv2 over a 3G network without the user authenticating, by using the handed-over keys from 802.1x.
>>>>
>>>> ERP (RFC 5296) works in two cases:
>>>> 1. when the new AAA backend and the old AAA backend are the same, and
>>>> 2. when they are different - you connect to a local EAP server
>>>>
>>>> There is an open question here. Obviously, when you use EAP for 802.1x or PPP or some other network access, you often connect to a local Authenticator that is not the same as your "home network". But is this relevant in IKEv2?  IKEv2 is used over the Internet. Why would you ever want to connect to a server other than your home (or a server that relies on the same AAA backend)
>>>>
>>>> In other words: is there a use-case for connecting to a local rather than a home server in IKE, a use-case that uses EAP.
>>>>
>>>> My feeling is that the answer is no, and there were some phone operators in the room who agreed with me. Someone did bring up the case of host-to-host IPsec, but I don't think that ever uses EAP.
>>>>
>>>> Does anybody have different thoughts about this?
>>> (crickets)
>>>
>>> As there were no replies to this email, and as there was pretty much an uncalled consensus at the HOKEY meeting, I have submitted version -02 of the draft with an extra paragraph in section 3.2 to explain that "roaming to a different EAP server" scenario is probably not relevant.
>>>
>>> http://www.ietf.org/internet-drafts/draft-nir-ipsecme-erx-02
>>>
>>> I would be happy for this to become a working group item, but if not, I would like to take it to our ADs (not sure which one, as this involves both IPsecME and HOKEY). I would also appreciate any suggestions for the Security Considerations section, other than just moving the rest of section 3.2 into it.
>>>
>>> Yoav
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
>>
>>
>