IETF Logo Mail Archive

RE: [Ipsec] Reauthentication in IKEv2

Pasi.Eronen@nokia.com Thu, 28 October 2004 08:26 UTC

Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA18617 for <ipsec-archive@lists.ietf.org>; Thu, 28 Oct 2004 04:26:34 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CN5Zm-0001v1-DB; Thu, 28 Oct 2004 04:24:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CN5YF-0001f0-3u for ipsec@megatron.ietf.org; Thu, 28 Oct 2004 04:22:31 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA18404 for <ipsec@ietf.org>; Thu, 28 Oct 2004 04:22:29 -0400 (EDT)
From: Pasi.Eronen@nokia.com
Received: from mgw-x2.nokia.com ([131.228.20.22]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CN5mD-0003Gt-NG for ipsec@ietf.org; Thu, 28 Oct 2004 04:37:01 -0400
Received: from esdks003.ntc.nokia.com (esdks003.ntc.nokia.com [172.21.138.158]) by mgw-x2.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i9S8MNe03710; Thu, 28 Oct 2004 11:22:23 +0300 (EET DST)
X-Scanned: Thu, 28 Oct 2004 11:22:16 +0300 Nokia Message Protector V1.3.31 2004060815 - RELEASE
Received: (from root@localhost) by esdks003.ntc.nokia.com (8.12.9/8.12.9) id i9S8MGSw022203; Thu, 28 Oct 2004 11:22:16 +0300
Received: from mgw-int2.ntc.nokia.com (172.21.143.97) by esdks003.ntc.nokia.com 00eOethz; Thu, 28 Oct 2004 11:22:16 EEST
Received: from esebh003.NOE.Nokia.com (esebh003.ntc.nokia.com [172.21.138.82]) by mgw-int2.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i9S8MGS06746; Thu, 28 Oct 2004 11:22:16 +0300 (EET DST)
Received: from esebh005.NOE.Nokia.com ([172.21.138.86]) by esebh003.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Thu, 28 Oct 2004 11:22:13 +0300
Received: from esebe016.NOE.Nokia.com ([172.21.138.55]) by esebh005.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Thu, 28 Oct 2004 11:22:14 +0300
Received: from esebe056.NOE.Nokia.com ([172.21.143.51]) by esebe016.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Thu, 28 Oct 2004 11:22:13 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Ipsec] Reauthentication in IKEv2
Date: Thu, 28 Oct 2004 11:22:13 +0300
Message-ID: <125EA890549C8641A72F3809CB80DCCD178394@esebe056.ntc.nokia.com>
Thread-Topic: [Ipsec] Reauthentication in IKEv2
Thread-Index: AcS8wakDfzyDu1YhSWqbuvkg8gGxYgAAqfFg
To: umas@intotoinc.com, vjyothi@intotoinc.com, ipsec@ietf.org
X-OriginalArrivalTime: 28 Oct 2004 08:22:13.0827 (UTC) FILETIME=[3A71D930:01C4BCC7]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Content-Transfer-Encoding: quoted-printable
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Content-Transfer-Encoding: quoted-printable

umas@intotoinc.com writes:

>> For policy lookups, it's very important to use the identity
>> (identifier) that was actually authenticated by the EAP
>> method, and this is not necessarily the same as IDi. Many EAP
>> methods have an internal identity exchange, and the initial
>> identity (e.g., IDi or EAP Identity Response) is used only
>> for AAA routing and selecting which method to use (see RFC
>> 3748, sections 5.1 and 7.3). "Reauthentication identities" in
>> some EAP methods are an obvious example where using IDi for
>> policy lookups fails, but that's not the main reason.

> Uma: So, initiator wants to send the new authenticated
> identity by EAP Method (Say fast re authentication ID) what
> could be the options at Responder side, so that it could
> successfully identify policy and can relay the same to EAP
> Server ---which eventually could cause Successful EAP Re
> Authentication too.

The responder (acting as EAP pass-through authenticator) does
not, in general, know the real identity that will be authenticated 
by the EAP method before the EAP method starts. 

But fortunately this is not even necessary; the identity sent by 
the client (e.g., fast reauthentication id) still contains enough 
information to select the right AAA server and EAP method; and 
other policy lookups can be done after EAP is finished.

> It seems with this, Is it that, in the re authentication of
> IKE_SA case also IDi would be the same original IDi ???? and
> with this Responder  would relay the same and can't use the Re
> Authentication facility provided by EAP Method??  Or Really is
> there any other way, so that initiator can send two ID's one
> is the original IDi for policy matching and the second is the
> Authenticated EAP Re authentication ID to have EAP
> Re-authentication facility????? (It's not correct/possible)

The real identifier that was authenticated with EAP has to
come from the AAA server, not the initiator. With RADIUS,
this means the server has to include something in the 
Access-Accept message (e.g., User-Name attribute).

(See, e.g., draft-ietf-aaa-eap-09 (section 2.8.1), or
draft-adrangi-radius-chargeable-user-identity-02.)

Best regards,
Pasi

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email