IETF Logo Mail Archive

Re: [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecme-erx-00

Glen Zorn <gwz@net-zen.net> Wed, 04 May 2011 02:55 UTC

Return-Path: <gwz@net-zen.net>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EABA8E0664 for <hokey@ietfa.amsl.com>; Tue, 3 May 2011 19:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0r7Ot0UEU8nx for <hokey@ietfa.amsl.com>; Tue, 3 May 2011 19:55:57 -0700 (PDT)
Received: from p3plsmtpa01-10.prod.phx3.secureserver.net (p3plsmtpa01-10.prod.phx3.secureserver.net [72.167.82.90]) by ietfa.amsl.com (Postfix) with SMTP id 64B8CE0618 for <hokey@ietf.org>; Tue, 3 May 2011 19:55:57 -0700 (PDT)
Received: (qmail 31659 invoked from network); 4 May 2011 02:55:56 -0000
Received: from unknown (124.120.177.229) by p3plsmtpa01-10.prod.phx3.secureserver.net (72.167.82.90) with ESMTP; 04 May 2011 02:55:55 -0000
Message-ID: <4DC0C036.40309@net-zen.net>
Date: Wed, 04 May 2011 09:55:50 +0700
From: Glen Zorn <gwz@net-zen.net>
Organization: Network Zen
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Qin Wu <sunseawq@huawei.com>
References: <010401cc09fd$fadec0e0$46298a0a@china.huawei.com>
In-Reply-To: <010401cc09fd$fadec0e0$46298a0a@china.huawei.com>
X-Enigmail-Version: 1.1.1
Content-Type: multipart/mixed; boundary="------------090104090600080800060105"
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, Yoav Nir <ynir@checkpoint.com>, hokey@ietf.org
Subject: Re: [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecme-erx-00
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 02:55:58 -0000

On 5/4/2011 8:52 AM, Qin Wu wrote:
> FYI.

Instead of just forwarding selected messages, how about adding the hokey
list to this conversation?

> ----- Original Message ----- 
> From: "Qin Wu" <sunseawq@huawei.com>
> To: "Yoav Nir" <ynir@checkpoint.com>om>; "Yaron Sheffer" <yaronf.ietf@gmail.com>
> Cc: <ipsec@ietf.org>
> Sent: Wednesday, May 04, 2011 9:50 AM
> Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00
> 
> 
>>>> - I am missing the "authenticated peer identity", which I would assume 
>>>> should arrive from the AAA server. This should be the basis of RFC4301 
>>>> policy decisions on the IKE gateway. Does ERP provide this identity?
>>>
>>> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or "peer") to the authentication server through the gateway. (section 5.3.2 of the bis document)
>>> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the authentication server through the gateway to the client.
>>> But these don't really help, because the username part of NAI is the 64-bit EMSKname, which is not directly related to user name.
>>> However, these messages come within an Access-Accept packet from the RADIUS server, and those include a proper user name.
>>
>> [Qin]: If you are talking about the second identity specified in section 6.4 of RFC5998, I think, unlike EAP, ERP does not provide such identity.
>> ERP only define two types: one is Re-auth-Start, the other is Re-Auth.
>>
>> KeyName-NAI TLV defined in RFC5296 and RFC5296bis more looks like the first idenity described in section 6.4 of RFC5998.
>> As decribed in section 5.1 of RFC5296,
>> "
>>     When an ERP-capable authenticator receives the EAP-Initiate/
>>      Re-auth message from a peer, it copies the contents of the
>>                                                       ^^^^^^^^^^^^^^^^^^^^
>>      keyName-NAI into the User-Name attribute of RADIUS [13]. 
>>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> "
>>
>>>
>>>> - Does this draft coexist with certificate-less mutual EAP 
>>>> authentication, as per RFC5998?
>>>
>>> I think the handed-over keying material is cryptographic proof enough and that certificates will usually be unnecessary, so I think yes.
>>
>> [Qin]: Correct.
>>
>>>>
>>>> Thanks,
>>>>     Yaron
>>>
>>> _______________________________________________
>>> IPsec mailing list
>>> IPsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipsec
> _______________________________________________
> HOKEY mailing list
> HOKEY@ietf.org
> https://www.ietf.org/mailman/listinfo/hokey
> 
>

v2.8.7 | Report a Bug | By Email