[IPsec] EAP Identity request in IKEv2

"Srinivasu S R S Dhulipala (srinid)" <srinid@cisco.com> Mon, 09 November 2009 09:41 UTC

Return-Path: <srinid@cisco.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 406053A67FB for <ipsec@core3.amsl.com>; Mon, 9 Nov 2009 01:41:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozu1lVSA0rZP for <ipsec@core3.amsl.com>; Mon, 9 Nov 2009 01:41:12 -0800 (PST)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 0A8FF3A6783 for <ipsec@ietf.org>; Mon, 9 Nov 2009 01:41:12 -0800 (PST)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArUEAENy90pAaHte/2dsb2JhbACCJCzBTZZAgjmCBQSBaHg
X-IronPort-AV: E=Sophos; i="4.44,707,1249257600"; d="scan'208,217"; a="103063556"
Received: from hkg-core-1.cisco.com ([64.104.123.94]) by sj-iport-5.cisco.com with ESMTP; 09 Nov 2009 09:41:37 +0000
Received: from xbh-bgl-411.cisco.com (xbh-bgl-411.cisco.com [72.163.129.201]) by hkg-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nA99fSO9003016 for <ipsec@ietf.org>; Mon, 9 Nov 2009 09:41:37 GMT
Received: from xmb-bgl-41c.cisco.com ([72.163.129.218]) by xbh-bgl-411.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 9 Nov 2009 15:11:36 +0530
X-Mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA6120.D45599EA"
Date: Mon, 9 Nov 2009 15:11:35 +0530
Message-ID: <3A8C969225424C4D8E6BEE65ED8552DA4C4068@XMB-BGL-41C.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: EAP Identity request in IKEv2
Thread-Index: AcphINOUdgdsx/fWR1KgVBp/ms+t4A==
From: "Srinivasu S R S Dhulipala (srinid)" <srinid@cisco.com>
To: <ipsec@ietf.org>
X-OriginalArrivalTime: 09 Nov 2009 09:41:36.0543 (UTC) FILETIME=[D47F22F0:01CA6120]
Subject: [IPsec] EAP Identity request in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 09:41:15 -0000

Hi,

 

I see that RFC4306 has the following lines at the end of Sec3.16:

 

   Note that since IKE passes an indication of initiator identity in

   message 3 of the protocol, the responder SHOULD NOT send EAP Identity

   requests.  The initiator SHOULD, however, respond to such requests if

   it receives them.

 

I see that from draft-ietf-ipsecme-ikev2bis-01, "SHOUD" and "SHOULD NOT"
were demoted to

"should" and "should not", the text now looks as below:

 

   {{ Demoted the SHOULD NOT and SHOULD }} Note that since IKE passes an
   indication of initiator identity in message 3 of the protocol, the
   responder should not send EAP Identity requests.  The initiator may,
   however, respond to such requests if it receives them.

 

Also, "The initiator SHOULD" is now "The initiator may".

 

I would like to understand why these changes were done. Why do we need
to do an EAP-ID

request as IDi should carry an indication of the client's identity?

 

Thanks,

Srinivas