Re: [HOKEY] [IPsec] IKEv2 and ERP

Qin Wu <bill.wu@huawei.com> Wed, 23 November 2011 10:02 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5126521F8C1F; Wed, 23 Nov 2011 02:02:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.179
X-Spam-Level:
X-Spam-Status: No, score=-4.179 tagged_above=-999 required=5 tests=[AWL=1.220, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, J_CHICKENPOX_53=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79tlPaCTYjmc; Wed, 23 Nov 2011 02:02:48 -0800 (PST)
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [119.145.14.64]) by ietfa.amsl.com (Postfix) with ESMTP id 9BFB921F8C1C; Wed, 23 Nov 2011 02:02:48 -0800 (PST)
Received: from huawei.com (szxga05-in [172.24.2.49]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LV300AXNYKA8D@szxga05-in.huawei.com>; Wed, 23 Nov 2011 18:02:34 +0800 (CST)
Received: from szxrg01-dlp.huawei.com ([172.24.2.119]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LV3004HGYK7X9@szxga05-in.huawei.com>; Wed, 23 Nov 2011 18:02:34 +0800 (CST)
Received: from szxeml205-edg.china.huawei.com ([172.24.2.119]) by szxrg01-dlp.huawei.com (MOS 4.1.9-GA) with ESMTP id AFG70568; Wed, 23 Nov 2011 18:02:31 +0800
Received: from SZXEML409-HUB.china.huawei.com (10.82.67.136) by szxeml205-edg.china.huawei.com (172.24.2.57) with Microsoft SMTP Server (TLS) id 14.1.323.3; Wed, 23 Nov 2011 18:02:28 +0800
Received: from w53375q (10.138.41.130) by szxeml409-hub.china.huawei.com (10.82.67.136) with Microsoft SMTP Server (TLS) id 14.1.323.3; Wed, 23 Nov 2011 18:02:23 +0800
Date: Wed, 23 Nov 2011 18:02:23 +0800
From: Qin Wu <bill.wu@huawei.com>
X-Originating-IP: [10.138.41.130]
To: Yoav Nir <ynir@checkpoint.com>, 'Yaron Sheffer' <yaronf.ietf@gmail.com>
Message-id: <C9756632C66B4FC2BCE7A7E823B68250@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.6109
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
X-CFilter-Loop: Reflected
References: <6205B3A8-4806-4F7A-B0CB-B9E36A744A37@checkpoint.com> <0A56F7B3-72CE-4274-AB68-7F24A366782B@checkpoint.com> <4EC8AF72.30206@gmail.com> <44C96308-32C8-4F02-B661-FDCA9029C274@checkpoint.com> <E4CD6969D2504339A962A9808C8F3B8A@china.huawei.com> <006FEB08D9C6444AB014105C9AEB133F0179B226F941@il-ex01.ad.checkpoint.com> <006FEB08D9C6444AB014105C9AEB133F0179B226F942@il-ex01.ad.checkpoint.com>
Cc: 'IPsecme WG' <ipsec@ietf.org>, hokey@ietf.org
Subject: Re: [HOKEY] [IPsec] IKEv2 and ERP
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2011 10:02:49 -0000

Apparently neither of the four cases I gave you  describes the phone sits on the Internet.
In ERP, we allow two cases.
If there is no local ER server in the visited network, the peer should communicate directly 
with home ER server through ER capable authenticator.

However if there is a local ER server in the visited network, we allow the peer  initates normal 
EAP exchange with the home EAP server in the home network firstly. In the meanwhile the 
local ER server in the path between the peer and home EAP server ask for keying materials. 
In the subsequent procedure, the peer can communicate locally with the local ER server.

Regards!
-Qin
----- Original Message ----- 
From: "Yoav Nir" <ynir@checkpoint.com>
To: "Yoav Nir" <ynir@checkpoint.com>om>; "'Qin Wu'" <bill.wu@huawei.com>om>; "'Yaron Sheffer'" <yaronf.ietf@gmail.com>
Cc: "'IPsecme WG'" <ipsec@ietf.org>rg>; <hokey@ietf.org>
Sent: Wednesday, November 23, 2011 4:07 PM
Subject: RE: [IPsec] IKEv2 and ERP



[resending as plaintext]


Thanks, Qin
 
I wonder what the rationale is for this. Why would a phone that's already on the Internet connect to the visited network rather than the home network. Is that because of concerns about bandwidth and latency?
 
Anyway, is there a use case for ERP in those cases?
 
Yoav

________________________________

From: Qin Wu [mailto:bill.wu@huawei.com] 
Sent: 22 November 2011 10:07
To: Yoav Nir; Yaron Sheffer
Cc: IPsecme WG; hokey@ietf.org
Subject: Re: [IPsec] IKEv2 and ERP


Hi,Yoav:
yes,I am do aware of other cases where IKE is used beyond the home network. 
Here are two example use cases adopted by 3GPP.Thes two use cases only work for roaming scenario.


 
In both use cases,IKE negotiation happens between WLAN UE and Packet Data Gateway(PDG) or Tunnel
Termination Gateway (TTG). Both PDG and TTG are deployed in 3GPP visited Network.
 
Also we have two cases where IKE is used with the home network belows. Both PDG and TTG are deployed
in the 3GPP home netwrok. These two cases only work for non-roaming scenario.

 

 
 
Regards!
-Qin