Re: [IPsec] Clarification on identities involved in IKEv2 EAP authentication
Yoav Nir <ynir@checkpoint.com> Tue, 10 November 2009 11:58 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C7C213A696D for <ipsec@core3.amsl.com>; Tue, 10 Nov 2009 03:58:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxUarlHM5e2y for <ipsec@core3.amsl.com>; Tue, 10 Nov 2009 03:58:57 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 7FAA83A687F for <ipsec@ietf.org>; Tue, 10 Nov 2009 03:58:56 -0800 (PST)
X-CheckPoint: {4AF95282-6-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id F277329C004; Tue, 10 Nov 2009 13:59:22 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id D21D329C002; Tue, 10 Nov 2009 13:59:22 +0200 (IST)
X-CheckPoint: {4AF95282-0-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nAABxMc6024625; Tue, 10 Nov 2009 13:59:22 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 10 Nov 2009 13:59:24 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Amjad Inamdar (amjads)" <amjads@cisco.com>
Date: Tue, 10 Nov 2009 13:59:19 +0200
Thread-Topic: [IPsec] Clarification on identities involved in IKEv2 EAP authentication
Thread-Index: Acph/T6sbxIgyziASaiLecrXjL4UOA==
Message-ID: <4C814C81-70C3-4597-B279-FED18230331C@checkpoint.com>
References: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com>
In-Reply-To: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; micalg="sha1"; boundary="Apple-Mail-64-374285746"; protocol="application/pkcs7-signature"
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Clarification on identities involved in IKEv2 EAP authentication
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 11:58:57 -0000
On Nov 10, 2009, at 1:40 PM, Amjad Inamdar (amjads) wrote: > Hi, > > With IKEv2 EAP authentication, there are 3 identities involved > > 1) IDi - IKEv2 initiator identity sent in msg-3 > 2) EAP identity that gateway (IKE2 responder) can request from the > client (IKEv2 initiator) > 3) Authenticated EAP identity that third party EAP server provides to > the gateway (IKEv2 responder). > > > Could someone please clarify from RFC standpoint if > > 1) The 3 identities mentioned above MUST/SHOULD be same No, although they typically are. > 2) If not same, what purpose should each of the above identities serve 1) mainly used as a hint for the gateway as to which AAA server to choose 2) It's the AAA server that may request the identity, and it's internal to AAA. It doesn't play in IKE 3) That's the authenticated identity of the user. That is what the responder uses for policy decisions. > 3) The mandatory/recommended format for each of the above identites All the types in section 3.5 are acceptable, but the most used ones are ID_RFC822_ADDR and ID_DER_ASN1_DN
- [IPsec] Clarification on identities involved in I… Amjad Inamdar (amjads)
- Re: [IPsec] Clarification on identities involved … Yoav Nir
- Re: [IPsec] Clarification on identities involved … Amjad Inamdar (amjads)
- Re: [IPsec] Clarification on identities involved … Paul Hoffman
- Re: [IPsec] Clarification on identities involved … shaik abdulla
- Re: [IPsec] Clarification on identities involved … Andreas Steffen
- Re: [IPsec] Clarification on identities involved … Srinivasu S R S Dhulipala (srinid)
- Re: [IPsec] Clarification on identities involved … Yoav Nir
- Re: [IPsec] Clarification on identities involved … Srinivasu S R S Dhulipala (srinid)
- Re: [IPsec] Clarification on identities involved … Yoav Nir
- Re: [IPsec] Clarification on identities involved … Tero Kivinen
- Re: [IPsec] Clarification on identities involved … Raj Singh
- Re: [IPsec] Clarification on identities involved … Yoav Nir
- Re: [IPsec] Clarification on identities involved … Amjad Inamdar (amjads)
- Re: [IPsec] Clarification on identities involved … Murthy N Srinivas-B22237
- Re: [IPsec] Clarification on identities involved … Murthy N Srinivas-B22237
- Re: [IPsec] Clarification on identities involved … Frederic Detienne
- Re: [IPsec] Clarification on identities involved … Amjad Inamdar (amjads)
- Re: [IPsec] Clarification on identities involved … Murthy N Srinivas-B22237
- Re: [IPsec] Clarification on identities involved … Frederic Detienne