Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00
Qin Wu <sunseawq@huawei.com> Thu, 12 May 2011 07:07 UTC
Return-Path: <sunseawq@huawei.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 57875E06E3; Thu, 12 May 2011 00:07:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.161
X-Spam-Level:
X-Spam-Status: No, score=-6.161 tagged_above=-999 required=5 tests=[AWL=0.438,
BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99LJ+kWy1ers;
Thu, 12 May 2011 00:07:35 -0700 (PDT)
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [119.145.14.67])
by ietfa.amsl.com (Postfix) with ESMTP id 328EBE06B7;
Thu, 12 May 2011 00:07:35 -0700 (PDT)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com
(iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id
<0LL200AZ5MGJVF@szxga04-in.huawei.com>; Thu, 12 May 2011 15:07:31 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga04-in.huawei.com (iPlanet
Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id
<0LL200EG7MGJYH@szxga04-in.huawei.com>; Thu, 12 May 2011 15:07:31 +0800 (CST)
Received: from w53375 ([10.138.41.70]) by szxml04-in.huawei.com (iPlanet
Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id
<0LL200GFMMGJPN@szxml04-in.huawei.com>; Thu, 12 May 2011 15:07:31 +0800 (CST)
Date: Thu, 12 May 2011 15:11:14 +0800
From: Qin Wu <sunseawq@huawei.com>
To: Yoav Nir <ynir@checkpoint.com>
Message-id: <020501cc1073$c807f570$46298a0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3664
X-Mailer: Microsoft Outlook Express 6.00.2900.3664
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
References: <006FEB08D9C6444AB014105C9AEB133F013ABE025E24@il-ex01.ad.checkpoint.com>
<4DBF19F4.6050804@gmail.com>
<95F1A883-8213-4A57-911B-E660E02A3117@checkpoint.com>
<00a401cc09fd$b152ef00$46298a0a@china.huawei.com>
<8CAC67D8-623B-4738-89B0-4A72C3C7AF95@checkpoint.com>
<b94047babd6474117f7734354425dc0b.squirrel@www.trepanning.net>
<BAE19B87-DE7A-4306-B3F0-D171580BCE57@checkpoint.com>
<86c7cd758de89a6f640f8e55faff11ee.squirrel@www.trepanning.net>
<F27D10DD-0B3A-4BA1-AF42-9D814C761804@checkpoint.com>
<6c5908c5ea31d90ed1a8f96b57bf2d72.squirrel@www.trepanning.net>
<FC252A0F-BCF3-458D-B2C1-68CCF64F583F@checkpoint.com>
<4DC30B68.70202@gmail.com>
<624EB8DD-96F6-422A-A2DE-B02A0507BF14@checkpoint.com>
<007301cc0c4f$b3c45540$ff5afea9@C863D63E94E7457>
<6754CE76-DC10-4912-8D13-33A4CDC764CC@checkpoint.com>
Cc: ipsec@ietf.org, hokey@ietf.org
Subject: Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>,
<mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>,
<mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2011 07:07:36 -0000
Hi, ----- Original Message ----- From: "Yoav Nir" <ynir@checkpoint.com> To: "Qin Wu" <sunseawq@huawei.com> Cc: <ipsec@ietf.org>rg>; "Dan Harkins" <dharkins@lounge.org>rg>; <hokey@ietf.org> Sent: Wednesday, May 11, 2011 10:19 PM Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00 > > On May 7, 2011, at 3:42 AM, Qin Wu wrote: > >> >> >>> >>> It seems to me RFC 4306/5996 took the concept a bit further than RFC 4301 ever intended (in fact I believe the text is new to RFC 5996). Presumably, when we talk about identity-based policy decisions, we refer to http://tools.ietf.org/html/rfc4301#section-4.4.3. This text (and the following section) explicitly allows for "bulk" policies that apply to "@example.com".com", i.e. anybody at that domain. And such coarse granularity may be sufficient in practice for inter-ISP traffic: ISP1 may be happy to provide secure connectivity to ISP2's customers and take a cut of the business, even if it doesn't know the exact identity of each customer and cannot contact them, bill them or log their names. >>> >>> So I would suggest that the draft should mention that no individual authenticated identity is available in the typical case (and this is unfortunately in conflict with RFC 5996), but the obscured identity provided in RADIUS Access-Accept can be used to make legitimate policy decisions. >> >> I'm not even sure of that. Qin, does ERP give us the domain name of the original authenticating server? Do we even know if the user came from this-isp or that-isp? >> >>> >>> Thanks, >>> Yaron >> >> [Qin]: Sure. >> >> The domain name of the original authenticating server you are talking about is actually home domain name. >> The peer bootstraps from the home domain at the first time and should know home domain name or home ER server name wherever it moves around. >> The peer learns local domain name through ERP message or other lower layer mechanism. Therefore the peer can identify which domain it move to. >> The local ER server and ER authenticator can know domain name through realm part of KeyName-NAI TLV carried in the ERP message sent from the peer. >> Comparing realm part of KeyName-NAI and the domain which they belong to, they also can identify if the user come from home domain or local domain. > > I wonder if local domain is ever distinct from home domain with IKE. [Qin]: From AAA perspective, local domain or visited domain should be distinct from home domain. >From IKE perspective, I am not sure. > IKE/IPsec is usually used for site-to-site and for remote access VPNs. There is also some use for host-to-host, but I don't know what they use for authentication. > > In the case of remote-access, the client connects to some home gateway. Unless there's some complex federation going with a single gateway answering for multiple domains, everyone connects to a gateway that is connected directly to the home RADIUS server. Even phones with an Internet (not 3G/4G) connection will connect to their "home" operator network rather than to a local operator network. > > So I don't think there's a case where the AAA server is not the home server. And in that case, the AAA server has the real user name. So if we're using re-authentication, the VPN gateway has the domain (it is the same domain) and an ephemeral identity generated by the original EAP, which may have been done with another authenticator (such as a 802.1x access point) [Qin]: It depdents on the scenario you are talking about. When you are doing authorization, you should go back to home domain to talk with home AAA server since Home AAA server maintain user profile. When you are doing authentication, it is not necessary to go back to talk with home server each time since keying materails can be transported to the domain which the client currectly connected to. If you assume authorization and authentication are doing together each time, Fine, ERP described in RFC5296 allows this case. In such case, there is no local ER server deployed in the visited domain, therefore each time the client or the peer should go back to talk with home server. Also I should point out EAP server or ER server may be separated from AAA server. > This reduces the problem to getting the real ID from the ephemeral ID, assuming that you are talking to the real RADIUS server, or else being able to fetch policy from such a server or from an LDAP server. I guess vendors could have proprietary solutions, but I'm wondering if there's a standardized way to do this. [Qin] We can go to do authorization in home domain each time. In this way, we can be easy to get real ID. BTW:I remember this similar issue had been discussed in DIME and Hokey Working group. > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [HOKEY] New I-D: draft-nir-ipsecme-erx-00 Yoav Nir
- [HOKEY] FW: New I-D: draft-nir-ipsecme-erx-00 Tina Tsou
- [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu
- Re: [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecm… Glen Zorn
- Re: [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecm… Qin Wu
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu
- Re: [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecm… Glen Zorn
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Dan Harkins
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Dan Harkins
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yaron Sheffer
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu