Re: [HOKEY] [IPsec] IKEv2 and ERP

Yoav Nir <> Sat, 19 November 2011 12:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EB7B921F8906; Sat, 19 Nov 2011 04:07:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.427
X-Spam-Status: No, score=-10.427 tagged_above=-999 required=5 tests=[AWL=0.172, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l6wstFLXrDxP; Sat, 19 Nov 2011 04:07:20 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E0EB821F886A; Sat, 19 Nov 2011 04:07:19 -0800 (PST)
X-CheckPoint: {4EC79B87-1-1B221DC2-1FFFF}
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id pAJC73Kn012558; Sat, 19 Nov 2011 14:07:06 +0200
Received: from ([]) by ([]) with mapi; Sat, 19 Nov 2011 14:07:03 +0200
From: Yoav Nir <>
To: IPsecme WG <>, "" <>
Date: Sat, 19 Nov 2011 14:07:01 +0200
Thread-Topic: [IPsec] IKEv2 and ERP
Thread-Index: Acyms78r9LXIPGAFRSqpLmGTzuzx+Q==
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [HOKEY] [IPsec] IKEv2 and ERP
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 19 Nov 2011 12:07:21 -0000

On Aug 6, 2011, at 10:37 PM, Yoav Nir wrote:

> Hi
> At the meeting in Quebec, I gave a presentation at the hokey meeting about .
> The draft covers using the EAP extensions for re-authentication in IKEv2. The obvious (to me) use-case is a phone connected to a 802.1x network. As you leave the building, the same phone automatically using IKEv2 over a 3G network without the user authenticating, by using the handed-over keys from 802.1x.
> ERP (RFC 5296) works in two cases:
> 1. when the new AAA backend and the old AAA backend are the same, and
> 2. when they are different - you connect to a local EAP server
> There is an open question here. Obviously, when you use EAP for 802.1x or PPP or some other network access, you often connect to a local Authenticator that is not the same as your "home network". But is this relevant in IKEv2?  IKEv2 is used over the Internet. Why would you ever want to connect to a server other than your home (or a server that relies on the same AAA backend)
> In other words: is there a use-case for connecting to a local rather than a home server in IKE, a use-case that uses EAP.
> My feeling is that the answer is no, and there were some phone operators in the room who agreed with me. Someone did bring up the case of host-to-host IPsec, but I don't think that ever uses EAP.
> Does anybody have different thoughts about this?


As there were no replies to this email, and as there was pretty much an uncalled consensus at the HOKEY meeting, I have submitted version -02 of the draft with an extra paragraph in section 3.2 to explain that "roaming to a different EAP server" scenario is probably not relevant.

I would be happy for this to become a working group item, but if not, I would like to take it to our ADs (not sure which one, as this involves both IPsecME and HOKEY). I would also appreciate any suggestions for the Security Considerations section, other than just moving the rest of section 3.2 into it.