[HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecme-erx-00
Qin Wu <sunseawq@huawei.com> Wed, 04 May 2011 01:49 UTC
Return-Path: <sunseawq@huawei.com>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 5E978E07D0 for <hokey@ietfa.amsl.com>;
Tue, 3 May 2011 18:49:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.645
X-Spam-Level:
X-Spam-Status: No, score=-3.645 tagged_above=-999 required=5 tests=[AWL=2.954,
BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gURWppbKM9pv for
<hokey@ietfa.amsl.com>; Tue, 3 May 2011 18:49:24 -0700 (PDT)
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [119.145.14.67])
by ietfa.amsl.com (Postfix) with ESMTP id 9B866E06EC for <hokey@ietf.org>;
Tue, 3 May 2011 18:49:24 -0700 (PDT)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com
(iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id
<0LKN00HQUEEBU3@szxga04-in.huawei.com> for hokey@ietf.org;
Wed, 04 May 2011 09:49:23 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga04-in.huawei.com (iPlanet
Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id
<0LKN005Q6EEB1G@szxga04-in.huawei.com> for hokey@ietf.org;
Wed, 04 May 2011 09:49:23 +0800 (CST)
Received: from w53375 ([10.138.41.70]) by szxml06-in.huawei.com (iPlanet
Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id
<0LKN00I02EEBP8@szxml06-in.huawei.com> for hokey@ietf.org;
Wed, 04 May 2011 09:49:23 +0800 (CST)
Date: Wed, 04 May 2011 09:52:52 +0800
From: Qin Wu <sunseawq@huawei.com>
To: hokey@ietf.org
Message-id: <010401cc09fd$fadec0e0$46298a0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3664
X-Mailer: Microsoft Outlook Express 6.00.2900.3664
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
Subject: [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecme-erx-00
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>,
<mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>,
<mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 01:49:25 -0000
FYI. ----- Original Message ----- From: "Qin Wu" <sunseawq@huawei.com> To: "Yoav Nir" <ynir@checkpoint.com>om>; "Yaron Sheffer" <yaronf.ietf@gmail.com> Cc: <ipsec@ietf.org> Sent: Wednesday, May 04, 2011 9:50 AM Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00 >>> - I am missing the "authenticated peer identity", which I would assume >>> should arrive from the AAA server. This should be the basis of RFC4301 >>> policy decisions on the IKE gateway. Does ERP provide this identity? >> >> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or "peer") to the authentication server through the gateway. (section 5.3.2 of the bis document) >> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the authentication server through the gateway to the client. >> But these don't really help, because the username part of NAI is the 64-bit EMSKname, which is not directly related to user name. >> However, these messages come within an Access-Accept packet from the RADIUS server, and those include a proper user name. > > [Qin]: If you are talking about the second identity specified in section 6.4 of RFC5998, I think, unlike EAP, ERP does not provide such identity. > ERP only define two types: one is Re-auth-Start, the other is Re-Auth. > > KeyName-NAI TLV defined in RFC5296 and RFC5296bis more looks like the first idenity described in section 6.4 of RFC5998. > As decribed in section 5.1 of RFC5296, > " > When an ERP-capable authenticator receives the EAP-Initiate/ > Re-auth message from a peer, it copies the contents of the > ^^^^^^^^^^^^^^^^^^^^ > keyName-NAI into the User-Name attribute of RADIUS [13]. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > " > >> >>> - Does this draft coexist with certificate-less mutual EAP >>> authentication, as per RFC5998? >> >> I think the handed-over keying material is cryptographic proof enough and that certificates will usually be unnecessary, so I think yes. > > [Qin]: Correct. > >>> >>> Thanks, >>> Yaron >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec
- [HOKEY] New I-D: draft-nir-ipsecme-erx-00 Yoav Nir
- [HOKEY] FW: New I-D: draft-nir-ipsecme-erx-00 Tina Tsou
- [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu
- Re: [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecm… Glen Zorn
- Re: [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecm… Qin Wu
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu
- Re: [HOKEY] Fw: [IPsec] New I-D: draft-nir-ipsecm… Glen Zorn
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Dan Harkins
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Dan Harkins
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yaron Sheffer
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Yoav Nir
- Re: [HOKEY] [IPsec] New I-D: draft-nir-ipsecme-er… Qin Wu