Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication

"Srinivasu S R S Dhulipala (srinid)" <srinid@cisco.com> Wed, 11 November 2009 14:05 UTC

Return-Path: <srinid@cisco.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D86C28C19A for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 06:05:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5GmRpe6NpSO for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 06:05:10 -0800 (PST)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 75BF528C192 for <ipsec@ietf.org>; Wed, 11 Nov 2009 06:05:10 -0800 (PST)
Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAB9T+kqrRN+J/2dsb2JhbADEe5gegjeCBQSBa3s
X-IronPort-AV: E=Sophos;i="4.44,723,1249257600"; d="scan'208";a="269484939"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-1.cisco.com with ESMTP; 11 Nov 2009 14:05:38 +0000
Received: from xbh-bgl-411.cisco.com (xbh-bgl-411.cisco.com [72.163.129.201]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id nABE5beB028512; Wed, 11 Nov 2009 14:05:38 GMT
Received: from xmb-bgl-41c.cisco.com ([72.163.129.218]) by xbh-bgl-411.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 11 Nov 2009 19:35:36 +0530
X-Mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 11 Nov 2009 19:35:35 +0530
Message-ID: <3A8C969225424C4D8E6BEE65ED8552DA4C4472@XMB-BGL-41C.cisco.com>
In-Reply-To: <39008D85-3D9B-4B8B-A9FA-C4C91658630E@checkpoint.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [IPsec] Clarification on identities involved in IKEv2EAPauthentication
Thread-Index: Acpi1kw291b4GgRjTrOgPf4P8xKyKAAAWeZg
References: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com> <4C814C81-70C3-4597-B279-FED18230331C@checkpoint.com> <3A8C969225424C4D8E6BEE65ED8552DA4C446E@XMB-BGL-41C.cisco.com> <39008D85-3D9B-4B8B-A9FA-C4C91658630E@checkpoint.com>
From: "Srinivasu S R S Dhulipala (srinid)" <srinid@cisco.com>
To: "Yoav Nir" <ynir@checkpoint.com>
X-OriginalArrivalTime: 11 Nov 2009 14:05:36.0300 (UTC) FILETIME=[0A8DBEC0:01CA62D8]
Cc: ipsec@ietf.org, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 14:05:11 -0000

Hi Yoav,

Thanks for the quick response. Please see inline.

-----Original Message-----
From: Yoav Nir [mailto:ynir@checkpoint.com] 
Sent: Wednesday, November 11, 2009 7:23 PM
To: Srinivasu S R S Dhulipala (srinid)
Cc: Amjad Inamdar (amjads); ipsec@ietf.org
Subject: Re: [IPsec] Clarification on identities involved in
IKEv2EAPauthentication


On Nov 11, 2009, at 3:39 PM, Srinivasu S R S Dhulipala (srinid) wrote:
> 
>> 2) If not same, what purpose should each of the above identities
serve
> 
>   1) mainly used as a hint for the gateway as to which AAA server to
> choose
>   2) It's the AAA server that may request the identity, and it's
> internal to AAA. It doesn't play in IKE
> 
> [SRINI] Does this imply that gateway SHOULD not send EAP identity
> request to the client,
>            we see that one 3rd party IKEv2 client is sending IP
address
> as IDi, from which we can't
>            take any hints. Moreover, the same client is expecting an
> EAP-ID request to be sent,
>            else EAP is failing.
>            I've started another thread about why did we demote
"SHOULD"
> to "should" if the gateway is
>            Not supposed to send EAP-identity request to the client. I
> think we should promote it back.

The gateway never sends any EAP identity requests at all. If such a
request exists, it is sent by the AAA server. The gateway serves only as
a pass-through.

[SRINI] Text below from sec 3.16 of the bis hints that responder may
send, but it says
            It should not. In RFC 4306, it was "SHOULD NOT", in the bis
it is "should not".
            
   {{ Demoted the SHOULD NOT and SHOULD }} Note that since IKE passes an
   indication of initiator identity in message 3 of the protocol, the
   responder should not send EAP Identity requests.  The initiator may,
   however, respond to such requests if it receives them.

Thanks,
Srinivas

For that reason, there is typically no reason for the gateway to inspect
the contents of the EAP payload.