Re: [IPsec] Clarification on identities involved in IKEv2EAP authentication

Frederic Detienne <fdetienn@cisco.com> Thu, 12 November 2009 22:35 UTC

Return-Path: <fdetienn@cisco.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5070F3A68D3 for <ipsec@core3.amsl.com>; Thu, 12 Nov 2009 14:35:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEmb3OVJGV9r for <ipsec@core3.amsl.com>; Thu, 12 Nov 2009 14:35:44 -0800 (PST)
Received: from av-tac-bru.cisco.com (weird-brew.cisco.com [144.254.15.118]) by core3.amsl.com (Postfix) with ESMTP id 0CD583A68A5 for <ipsec@ietf.org>; Thu, 12 Nov 2009 14:35:43 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-bru.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id nACMWPtJ003806; Thu, 12 Nov 2009 23:32:25 +0100 (CET)
Received: from ams-fdetienn-8717.cisco.com (ams-fdetienn-8717.cisco.com [10.55.136.232]) by strange-brew.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id nACMWKuN027728; Thu, 12 Nov 2009 23:32:20 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/alternative; boundary=Apple-Mail-12-585065835
From: Frederic Detienne <fdetienn@cisco.com>
In-Reply-To: <39008D85-3D9B-4B8B-A9FA-C4C91658630E@checkpoint.com>
Date: Thu, 12 Nov 2009 23:32:19 +0100
Message-Id: <8D65C1C1-F360-4139-B8C8-17D57A5E4EB1@cisco.com>
References: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com> <4C814C81-70C3-4597-B279-FED18230331C@checkpoint.com> <3A8C969225424C4D8E6BEE65ED8552DA4C446E@XMB-BGL-41C.cisco.com> <39008D85-3D9B-4B8B-A9FA-C4C91658630E@checkpoint.com>
To: Yoav Nir <ynir@checkpoint.com>
X-Mailer: Apple Mail (2.1077)
X-Mailman-Approved-At: Thu, 12 Nov 2009 16:46:01 -0800
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: Re: [IPsec] Clarification on identities involved in IKEv2EAP authentication
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 22:35:45 -0000

On 11 Nov 2009, at 14:53, Yoav Nir wrote:

> 
> On Nov 11, 2009, at 3:39 PM, Srinivasu S R S Dhulipala (srinid) wrote:
>> 
>>> 2) If not same, what purpose should each of the above identities serve
>> 
>>  1) mainly used as a hint for the gateway as to which AAA server to
>> choose
>>  2) It's the AAA server that may request the identity, and it's
>> internal to AAA. It doesn't play in IKE
>> 
>> [SRINI] Does this imply that gateway SHOULD not send EAP identity
>> request to the client,
>>           we see that one 3rd party IKEv2 client is sending IP address
>> as IDi, from which we can't
>>           take any hints. Moreover, the same client is expecting an
>> EAP-ID request to be sent,
>>           else EAP is failing.
>>           I've started another thread about why did we demote "SHOULD"
>> to "should" if the gateway is
>>           Not supposed to send EAP-identity request to the client. I
>> think we should promote it back.
> 
> The gateway never sends any EAP identity requests at all. If such a request exists, it is sent by the AAA server. The gateway serves only as a pass-through.
> 
> For that reason, there is typically no reason for the gateway to inspect the contents of the EAP payload.

This is the gist of the question. It is tempting for the client implementation to send just a dummy IDi (like an IP address) that prevents proper selection of the AAA server for subsequent authentication. The client rationale being that the proper ID will be passed during EAP. As such inspecting the ID_request is also tempting to circumvent the client's behavior.

It would be a good idea to recommend IDi to be meaningful for AAA selection and avoid drama's. Something like:

--8<--
IDi SHOULD be meaningful enough for the responder to select an adequate authentication and authorization profile. The IDi SHOULD be unique in the authentication domain, constant over time and structured. ID_FQDN, ID_DER_ASN1_DN, ID_RFC822_ADDR are good candidates for an IDi. Other ID types are good if they match the above criteria.
--8<--

This is something that is not immediately obvious to the client developers and will help server developers to convey their point.

	fred

> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec