IETF Logo Mail Archive

Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00

Qin Wu <sunseawq@huawei.com> Wed, 04 May 2011 06:15 UTC

Return-Path: <sunseawq@huawei.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50021E06FA; Tue, 3 May 2011 23:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.036
X-Spam-Level:
X-Spam-Status: No, score=-4.036 tagged_above=-999 required=5 tests=[AWL=2.563, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNt-U2oO8ooV; Tue, 3 May 2011 23:14:59 -0700 (PDT)
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [119.145.14.66]) by ietfa.amsl.com (Postfix) with ESMTP id 23151E06E6; Tue, 3 May 2011 23:14:59 -0700 (PDT)
Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LKN006ULQOTZI@szxga03-in.huawei.com>; Wed, 04 May 2011 14:14:53 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LKN00CXUQOTXZ@szxga03-in.huawei.com>; Wed, 04 May 2011 14:14:53 +0800 (CST)
Received: from w53375 ([10.138.41.70]) by szxml06-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0LKN005RXQOSAZ@szxml06-in.huawei.com>; Wed, 04 May 2011 14:14:53 +0800 (CST)
Date: Wed, 04 May 2011 14:18:22 +0800
From: Qin Wu <sunseawq@huawei.com>
To: Yoav Nir <ynir@checkpoint.com>
Message-id: <029301cc0a23$11dcadf0$46298a0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3664
X-Mailer: Microsoft Outlook Express 6.00.2900.3664
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
References: <006FEB08D9C6444AB014105C9AEB133F013ABE025E24@il-ex01.ad.checkpoint.com> <4DBF19F4.6050804@gmail.com> <95F1A883-8213-4A57-911B-E660E02A3117@checkpoint.com> <00a401cc09fd$b152ef00$46298a0a@china.huawei.com> <8CAC67D8-623B-4738-89B0-4A72C3C7AF95@checkpoint.com>
Cc: ipsec@ietf.org, hokey@ietf.org
Subject: Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 06:15:03 -0000

Hi,
----- Original Message ----- 
From: "Yoav Nir" <ynir@checkpoint.com>
To: "Qin Wu" <sunseawq@huawei.com>
Cc: <ipsec@ietf.org>
Sent: Wednesday, May 04, 2011 1:30 PM
Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00


> 
> On May 4, 2011, at 4:50 AM, Qin Wu wrote:
> 
>>>> - I am missing the "authenticated peer identity", which I would assume 
>>>> should arrive from the AAA server. This should be the basis of RFC4301 
>>>> policy decisions on the IKE gateway. Does ERP provide this identity?
>>> 
>>> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or "peer") to the authentication server through the gateway. (section 5.3.2 of the bis document)
>>> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the authentication server through the gateway to the client.
>>> But these don't really help, because the username part of NAI is the 64-bit EMSKname, which is not directly related to user name.
>>> However, these messages come within an Access-Accept packet from the RADIUS server, and those include a proper user name.
>> 
>> [Qin]: If you are talking about the second identity specified in section 6.4 of RFC5998, I think, unlike EAP, ERP does not provide such identity.
>> ERP only define two types: one is Re-auth-Start, the other is Re-Auth.
>> 
>> KeyName-NAI TLV defined in RFC5296 and RFC5296bis more looks like the first idenity described in section 6.4 of RFC5998.
>> As decribed in section 5.1 of RFC5296,
>> "
>>     When an ERP-capable authenticator receives the EAP-Initiate/
>>      Re-auth message from a peer, it copies the contents of the
>>                                                       ^^^^^^^^^^^^^^^^^^^^
>>      keyName-NAI into the User-Name attribute of RADIUS [13]. 
>>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> "
> 
> But what does the RADIUS send in the User-Name attribute of Access-Accept?  How does the Authenticator know who the user is?  The Authenticator needs the true identity to make policy decisions.

[Qin]: I assume username part of KeyName-NAI will be regarded by RADIUS server as User-Name during authentication.
Also I think it is not necessarily to couple  authorization with authentication.

> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.8.7 | Report a Bug | By Email