[HOKEY] FW: New I-D: draft-nir-ipsecme-erx-00

Tina Tsou <tena@huawei.com> Mon, 02 May 2011 17:48 UTC

Return-Path: <tena@huawei.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 388F3E06EC for <hokey@ietfa.amsl.com>; Mon, 2 May 2011 10:48:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.099
X-Spam-Level:
X-Spam-Status: No, score=-105.099 tagged_above=-999 required=5 tests=[AWL=1.500, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FEhr5D34y6cT for <hokey@ietfa.amsl.com>; Mon, 2 May 2011 10:47:59 -0700 (PDT)
Received: from usaga04-in.huawei.com (usaga04-in.huawei.com [206.16.17.180]) by ietfa.amsl.com (Postfix) with ESMTP id 7622FE06EB for <hokey@ietf.org>; Mon, 2 May 2011 10:47:59 -0700 (PDT)
Received: from huawei.com (usaga04-in [172.18.4.101]) by usaga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LKK00C5DXFXZ9@usaga04-in.huawei.com> for hokey@ietf.org; Mon, 02 May 2011 12:47:57 -0500 (CDT)
Received: from TingZousc1 ([10.193.34.188]) by usaga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0LKK009ICXFVDE@usaga04-in.huawei.com> for hokey@ietf.org; Mon, 02 May 2011 12:47:57 -0500 (CDT)
Date: Mon, 02 May 2011 10:48:01 -0700
From: Tina Tsou <tena@huawei.com>
To: hokey@ietf.org
Message-id: <013701cc08f1$15bed430$413c7c90$@com>
MIME-version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Content-type: text/plain; charset=us-ascii
Content-language: en-us
Content-transfer-encoding: 7BIT
Thread-index: AcwIvGxAunpC79zhQuOaCfwwzT5+NgANG34Q
Subject: [HOKEY] FW: New I-D: draft-nir-ipsecme-erx-00
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2011 17:48:00 -0000

Hi Yoav,
I received a Mailman mailing list bounce action notice to
hokey-owner@ietf.org.
So I'm forwarding for you.


We keep our promises with one another - no matter what!

Best Regards,
Tina TSOU
http://tinatsou.weebly.com/contact.html


-----Original Message-----
From: hokey-bounces@ietf.org [mailto:hokey-bounces@ietf.org] On Behalf Of
Yoav Nir
Sent: Monday, May 02, 2011 4:31 AM
To: ipsec@ietf.org; 'hokey@ietf.org'
Subject: [HOKEY] New I-D: draft-nir-ipsecme-erx-00

Hi.

Qin and I have just posted the subject draft.  The title is "An IKEv2
Extension for Supporting ERP", although it has nothing to do with enterprise
resource planning.

This draft brings the ERP extension for EAP, which is developed by the Hokey
group into the IKEv2 authentication exchange, allowing a client ("peer" or
"initiator") to authenticate to a VPN gateway ("Authenticator" or
"responder") in only three round-trips, and without user intervention,
provided that this client has unexpired keys from a previous run of EAP. It
doesn't matter whether the previous run was done in the context of another
IKE exchange, attachment to a 802.1x LAN or over PPP.

We would like this draft to be accepted as a working-group item in IPsecME,
although serious review in hokey will also be needed.

I'd like to use this one-time cross-posted mail message to explain some of
the design decisions in this -00 version of the draft.

The EAP-Initiate/Re-auth-Start message is missing from the protocol.
Instead, a notification payload carries the domain name. This was done
because an EAP payload in the IKE_SA_INIT response would be weird, whereas
unknown Notifications are common. We are not sure whether placing the domain
name is necessary, because in IKE, the client usually connects to a
pre-configured gateway, rather than attaching to any network available as in
802.1x.

We do not run two EAP protocols in parallel (re-auth and something else) as
in RFC 5296 and the bis document, because IKEv2 ususally doesn't have
identity requests (they identity protocol is replaced by the user identity
in the IDi payload), and running a real EAP protocol would put us in a weird
state with the backend EAP server. Instead, we send the domain name in the
notification payload, and the client may either send the
EAP-Initiate/Re-auth message or the IDi payload (but not both).

Alternatively we could have the client indicate support in the IKE_SA_INIT
request, and then have a proper EAP-Initiate/Re-auth-Start message in the
IKE_SA_INIT response. I don't see much advantage in this, so in version -00
we did not do this.

We would very much appreciate feedback from both groups.

Qin & Yoav
_______________________________________________
HOKEY mailing list
HOKEY@ietf.org
https://www.ietf.org/mailman/listinfo/hokey