[IPsec] Clarification on identities involved in IKEv2 EAP authentication

"Amjad Inamdar (amjads)" <amjads@cisco.com> Tue, 10 November 2009 11:40 UTC

Return-Path: <amjads@cisco.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id BEF953A6A09 for <ipsec@core3.amsl.com>; Tue, 10 Nov 2009 03:40:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id gp0vNx-Tw+ey for <ipsec@core3.amsl.com>; Tue, 10 Nov 2009 03:40:24 -0800 (PST)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com []) by core3.amsl.com (Postfix) with ESMTP id 158403A684F for <ipsec@ietf.org>; Tue, 10 Nov 2009 03:40:24 -0800 (PST)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAJPg+EpAaHte/2dsb2JhbADFNpgPgjmCBQSBaHg
X-IronPort-AV: E=Sophos;i="4.44,715,1249257600"; d="scan'208";a="48765515"
Received: from hkg-core-1.cisco.com ([]) by sj-iport-4.cisco.com with ESMTP; 10 Nov 2009 11:40:50 +0000
Received: from xbh-bgl-411.cisco.com (xbh-bgl-411.cisco.com []) by hkg-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nAABenhB011065 for <ipsec@ietf.org>; Tue, 10 Nov 2009 11:40:49 GMT
Received: from xmb-bgl-417.cisco.com ([]) by xbh-bgl-411.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 10 Nov 2009 17:10:29 +0530
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 10 Nov 2009 17:10:27 +0530
Message-ID: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com>
Thread-Topic: Clarification on identities involved in IKEv2 EAP authentication
Thread-Index: Acph+pkictL1WLM7QbeokDzD/meezw==
From: "Amjad Inamdar (amjads)" <amjads@cisco.com>
To: <ipsec@ietf.org>
X-OriginalArrivalTime: 10 Nov 2009 11:40:29.0327 (UTC) FILETIME=[9A6159F0:01CA61FA]
Subject: [IPsec] Clarification on identities involved in IKEv2 EAP authentication
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 11:40:24 -0000

With IKEv2 EAP authentication, there are 3 identities involved

1) IDi - IKEv2 initiator identity sent in msg-3
2) EAP identity that gateway (IKE2 responder) can request from the
client (IKEv2 initiator)
3) Authenticated EAP identity that third party EAP server provides to
the gateway (IKEv2 responder).

Could someone please clarify from RFC standpoint if 

1) The 3 identities mentioned above MUST/SHOULD be same
2) If not same, what purpose should each of the above identities serve
3) The mandatory/recommended format for each of the above identites