Re: [IPsec] Clarification on identities involved in IKEv2 EAP authentication

Yoav Nir <ynir@checkpoint.com> Tue, 10 November 2009 11:58 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C7C213A696D for <ipsec@core3.amsl.com>; Tue, 10 Nov 2009 03:58:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxUarlHM5e2y for <ipsec@core3.amsl.com>; Tue, 10 Nov 2009 03:58:57 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 7FAA83A687F for <ipsec@ietf.org>; Tue, 10 Nov 2009 03:58:56 -0800 (PST)
X-CheckPoint: {4AF95282-6-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id F277329C004; Tue, 10 Nov 2009 13:59:22 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id D21D329C002; Tue, 10 Nov 2009 13:59:22 +0200 (IST)
X-CheckPoint: {4AF95282-0-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nAABxMc6024625; Tue, 10 Nov 2009 13:59:22 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 10 Nov 2009 13:59:24 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Amjad Inamdar (amjads)" <amjads@cisco.com>
Date: Tue, 10 Nov 2009 13:59:19 +0200
Thread-Topic: [IPsec] Clarification on identities involved in IKEv2 EAP authentication
Thread-Index: Acph/T6sbxIgyziASaiLecrXjL4UOA==
Message-ID: <4C814C81-70C3-4597-B279-FED18230331C@checkpoint.com>
References: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com>
In-Reply-To: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; micalg=sha1; boundary="Apple-Mail-64-374285746"; protocol="application/pkcs7-signature"
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Clarification on identities involved in IKEv2 EAP authentication
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 11:58:57 -0000

On Nov 10, 2009, at 1:40 PM, Amjad Inamdar (amjads) wrote:

> Hi,
>
> With IKEv2 EAP authentication, there are 3 identities involved
>
> 1) IDi - IKEv2 initiator identity sent in msg-3
> 2) EAP identity that gateway (IKE2 responder) can request from the
> client (IKEv2 initiator)
> 3) Authenticated EAP identity that third party EAP server provides to
> the gateway (IKEv2 responder).
>
>
> Could someone please clarify from RFC standpoint if
>
> 1) The 3 identities mentioned above MUST/SHOULD be same

No, although they typically are.

> 2) If not same, what purpose should each of the above identities serve

   1) mainly used as a hint for the gateway as to which AAA server to  
choose
   2) It's the AAA server that may request the identity, and it's  
internal to AAA. It doesn't play in IKE
   3) That's the authenticated identity of the user. That is what the  
responder uses for policy decisions.

> 3) The mandatory/recommended format for each of the above identites

All the types in section 3.5 are acceptable, but the most used ones  
are ID_RFC822_ADDR and ID_DER_ASN1_DN