IETF Logo Mail Archive

Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00

Yoav Nir <ynir@checkpoint.com> Wed, 04 May 2011 07:01 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACA24E0727; Wed, 4 May 2011 00:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.972
X-Spam-Level:
X-Spam-Status: No, score=-7.972 tagged_above=-999 required=5 tests=[AWL=2.627, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3KtF5C1aV-1; Wed, 4 May 2011 00:01:15 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 89EDFE071B; Wed, 4 May 2011 00:01:14 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p4470vfP002715; Wed, 4 May 2011 10:01:02 +0300
X-CheckPoint: {4DC106E4-A-1B221DC2-FFFF}
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.2.255.0; Wed, 4 May 2011 10:00:57 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Wed, 4 May 2011 10:00:56 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Qin Wu <sunseawq@huawei.com>
Date: Wed, 4 May 2011 10:00:54 +0300
Thread-Topic: [IPsec] New I-D: draft-nir-ipsecme-erx-00
Thread-Index: AcwKKQNNa2aJl1BqREKUQGoAYw++jg==
Message-ID: <C23AC8C9-936D-4BF4-910C-1FB7B9893B76@checkpoint.com>
References: <006FEB08D9C6444AB014105C9AEB133F013ABE025E24@il-ex01.ad.checkpoint.com> <4DBF19F4.6050804@gmail.com> <95F1A883-8213-4A57-911B-E660E02A3117@checkpoint.com> <00a401cc09fd$b152ef00$46298a0a@china.huawei.com> <8CAC67D8-623B-4738-89B0-4A72C3C7AF95@checkpoint.com> <029301cc0a23$11dcadf0$46298a0a@china.huawei.com>
In-Reply-To: <029301cc0a23$11dcadf0$46298a0a@china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "hokey@ietf.org" <hokey@ietf.org>
Subject: Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-erx-00
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 07:01:15 -0000

On May 4, 2011, at 9:18 AM, Qin Wu wrote:

> Hi,
> ----- Original Message ----- 
> From: "Yoav Nir" <ynir@checkpoint.com>
> To: "Qin Wu" <sunseawq@huawei.com>
> Cc: <ipsec@ietf.org>
> Sent: Wednesday, May 04, 2011 1:30 PM
> Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00
> 
> 
>> 
>> On May 4, 2011, at 4:50 AM, Qin Wu wrote:
>> 
>>>>> - I am missing the "authenticated peer identity", which I would assume 
>>>>> should arrive from the AAA server. This should be the basis of RFC4301 
>>>>> policy decisions on the IKE gateway. Does ERP provide this identity?
>>>> 
>>>> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or "peer") to the authentication server through the gateway. (section 5.3.2 of the bis document)
>>>> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the authentication server through the gateway to the client.
>>>> But these don't really help, because the username part of NAI is the 64-bit EMSKname, which is not directly related to user name.
>>>> However, these messages come within an Access-Accept packet from the RADIUS server, and those include a proper user name.
>>> 
>>> [Qin]: If you are talking about the second identity specified in section 6.4 of RFC5998, I think, unlike EAP, ERP does not provide such identity.
>>> ERP only define two types: one is Re-auth-Start, the other is Re-Auth.
>>> 
>>> KeyName-NAI TLV defined in RFC5296 and RFC5296bis more looks like the first idenity described in section 6.4 of RFC5998.
>>> As decribed in section 5.1 of RFC5296,
>>> "
>>>    When an ERP-capable authenticator receives the EAP-Initiate/
>>>     Re-auth message from a peer, it copies the contents of the
>>>                                                      ^^^^^^^^^^^^^^^^^^^^
>>>     keyName-NAI into the User-Name attribute of RADIUS [13]. 
>>>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> "
>> 
>> But what does the RADIUS send in the User-Name attribute of Access-Accept?  How does the Authenticator know who the user is?  The Authenticator needs the true identity to make policy decisions.
> 
> [Qin]: I assume username part of KeyName-NAI will be regarded by RADIUS server as User-Name during authentication.

RFC 3579 says:
                        "The User-Name attribute within the Access-
   Accept packet need not be the same as the User-Name attribute in the
   Access-Request."

Do current implementations copy the KeyName-NAI to the Access-Accept?  

> Also I think it is not necessarily to couple  authorization with authentication.

They may not be coupled in other EAP contexts, but IPsec requires policy decisions based on authenticated identity. One way or another, the IKE implementation needs to get the real user identity for policy decisions.

Yoav

v2.8.7 | Report a Bug | By Email