Re: [IPsec] EAP Identity request in IKEv2

"Srinivasu S R S Dhulipala (srinid)" <srinid@cisco.com> Wed, 11 November 2009 13:27 UTC

Return-Path: <srinid@cisco.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5385128C17E for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 05:27:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1BdGKHx9PmcA for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 05:27:26 -0800 (PST)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id A34B33A688D for <ipsec@ietf.org>; Wed, 11 Nov 2009 05:27:25 -0800 (PST)
Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtAEAOpK+kqrR7H+/2dsb2JhbACCJizBMZgZgjeCBQSBa3s
X-IronPort-AV: E=Sophos; i="4.44,723,1249257600"; d="scan'208,217"; a="269464938"
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-1.cisco.com with ESMTP; 11 Nov 2009 13:27:53 +0000
Received: from xbh-bgl-411.cisco.com (xbh-bgl-411.cisco.com [72.163.129.201]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id nABDRq09007529 for <ipsec@ietf.org>; Wed, 11 Nov 2009 13:27:52 GMT
Received: from xmb-bgl-41c.cisco.com ([72.163.129.218]) by xbh-bgl-411.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 11 Nov 2009 18:57:51 +0530
X-Mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA62D2.C44458D2"
Date: Wed, 11 Nov 2009 18:57:50 +0530
Message-ID: <3A8C969225424C4D8E6BEE65ED8552DA4C446A@XMB-BGL-41C.cisco.com>
In-Reply-To: <3A8C969225424C4D8E6BEE65ED8552DA4C4068@XMB-BGL-41C.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [IPsec] EAP Identity request in IKEv2
Thread-Index: AcphINOUdgdsx/fWR1KgVBp/ms+t4ABry3aw
References: <3A8C969225424C4D8E6BEE65ED8552DA4C4068@XMB-BGL-41C.cisco.com>
From: "Srinivasu S R S Dhulipala (srinid)" <srinid@cisco.com>
To: "Srinivasu S R S Dhulipala (srinid)" <srinid@cisco.com>, <ipsec@ietf.org>
X-OriginalArrivalTime: 11 Nov 2009 13:27:51.0069 (UTC) FILETIME=[C45EECD0:01CA62D2]
Subject: Re: [IPsec] EAP Identity request in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 13:27:28 -0000

Resending the query again, as I did not see any response to this query.

 

It looks like additional EAP ID request to the client is not needed, so
I think we should move

the "should" to "SHOULD" again. Any thoughts?

 

Thanks,

Srinivas

 

From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
Of Srinivasu S R S Dhulipala (srinid)
Sent: Monday, November 09, 2009 3:12 PM
To: ipsec@ietf.org
Subject: [IPsec] EAP Identity request in IKEv2

 

Hi,

 

I see that RFC4306 has the following lines at the end of Sec3.16:

 

   Note that since IKE passes an indication of initiator identity in

   message 3 of the protocol, the responder SHOULD NOT send EAP Identity

   requests.  The initiator SHOULD, however, respond to such requests if

   it receives them.

 

I see that from draft-ietf-ipsecme-ikev2bis-01, "SHOUD" and "SHOULD NOT"
were demoted to

"should" and "should not", the text now looks as below:

 

   {{ Demoted the SHOULD NOT and SHOULD }} Note that since IKE passes an
   indication of initiator identity in message 3 of the protocol, the
   responder should not send EAP Identity requests.  The initiator may,
   however, respond to such requests if it receives them.

 

Also, "The initiator SHOULD" is now "The initiator may".

 

I would like to understand why these changes were done. Why do we need
to do an EAP-ID

request as IDi should carry an indication of the client's identity?

 

Thanks,

Srinivas