IETF Logo Mail Archive

Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00

Yoav Nir <ynir@checkpoint.com> Wed, 04 May 2011 19:12 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715ABE07BE; Wed, 4 May 2011 12:12:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.191
X-Spam-Level:
X-Spam-Status: No, score=-8.191 tagged_above=-999 required=5 tests=[AWL=2.408, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0fpVeRTjSou; Wed, 4 May 2011 12:12:06 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id E0FDDE07C2; Wed, 4 May 2011 12:12:05 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p44JBtK0009266; Wed, 4 May 2011 22:11:55 +0300
X-CheckPoint: {4DC1B234-0-1B221DC2-FFFF}
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.2.255.0; Wed, 4 May 2011 22:11:55 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Wed, 4 May 2011 22:11:55 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Dan Harkins <dharkins@lounge.org>
Date: Wed, 4 May 2011 22:11:53 +0300
Thread-Topic: [IPsec] New I-D: draft-nir-ipsecme-erx-00
Thread-Index: AcwKjyENsFiPZoIpQ/CsK4nhAizRfg==
Message-ID: <BAE19B87-DE7A-4306-B3F0-D171580BCE57@checkpoint.com>
References: <006FEB08D9C6444AB014105C9AEB133F013ABE025E24@il-ex01.ad.checkpoint.com> <4DBF19F4.6050804@gmail.com> <95F1A883-8213-4A57-911B-E660E02A3117@checkpoint.com> <00a401cc09fd$b152ef00$46298a0a@china.huawei.com> <8CAC67D8-623B-4738-89B0-4A72C3C7AF95@checkpoint.com> <b94047babd6474117f7734354425dc0b.squirrel@www.trepanning.net>
In-Reply-To: <b94047babd6474117f7734354425dc0b.squirrel@www.trepanning.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "hokey@ietf.org" <hokey@ietf.org>
Subject: Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 19:12:07 -0000

Hi Dan,

On May 4, 2011, at 9:47 PM, Dan Harkins wrote:

> 
> On Tue, May 3, 2011 10:30 pm, Yoav Nir wrote:
> [snip]
>> The Authenticator needs the true identity to make policy decisions.
> 
>  Well then DO NOT use EAP for authentication.
> 
>  Dan.

I'm sure I don't understand your point. The IKE responder does not need to know whether the user's true identity in the sense of whether she is a cat person or a dog person. "alice@example.com" is good enough for policy lookups and policy decisions, as well as for generating meaningful logs. "1542a0f74aef5011@example.com".com", where the part before the at-sign is a hex representation of an ephemeral key is not.

v2.8.7 | Report a Bug | By Email