Re: [IPsec] Mandatory Public Key based authentication with EAP
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 11 September 2014 06:19 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC171A04AA for <ipsec@ietfa.amsl.com>; Wed, 10 Sep 2014 23:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnHnFL86Omwa for <ipsec@ietfa.amsl.com>; Wed, 10 Sep 2014 23:19:20 -0700 (PDT)
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87F201A01FF for <ipsec@ietf.org>; Wed, 10 Sep 2014 23:19:20 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id y10so5037852wgg.3 for <ipsec@ietf.org>; Wed, 10 Sep 2014 23:19:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=jMa/EQ2th6sNIJucUzcLalu2maJslc/3HGOavprJy3k=; b=qvY3A5SaaXViSiWG0unqbhjPRWrtYMLmx2yMkdCson2QkVjdyj7QjskiD6wd28Xk57 vEjh78hNMhPhJEOLvgDw4sfvMkuennTCuTPqqetaxAh19dPzfl6cwJ307kQbmDPlnWQR yL9e+UgEZr+10fe4LwvDCOEymUVOgPG8c5xR7m/rqM+qPXiF4eDTVanmIKBW9/VHT0MQ R5DfbSPeAc1HBuuLDk/BJGhZ+0KOSWWfM10Dne7LmcM5iFxHYyQ8P2Kf4CMwsmP1wqFo IyWAgup0JXcGnMkK106O4G3YaQpdILo3MXLj5B0HWhlxNUZR5TVyVnQ1adAIehTcFBw2 v2eA==
X-Received: by 10.194.94.73 with SMTP id da9mr33283923wjb.67.1410416359040; Wed, 10 Sep 2014 23:19:19 -0700 (PDT)
Received: from [10.0.0.4] (bzq-79-177-0-22.red.bezeqint.net. [79.177.0.22]) by mx.google.com with ESMTPSA id i6sm4777475wib.7.2014.09.10.23.19.18 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Sep 2014 23:19:18 -0700 (PDT)
Message-ID: <54113EE3.6040402@gmail.com>
Date: Thu, 11 Sep 2014 09:19:15 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Valery Smyslov <svanru@gmail.com>, Rahul Vaidya <rahul.stds@gmail.com>
References: <CAEX11nYFEj-f8m-8fK-j7FH-EDavG0XgmJwonFMj_V_5eJHFzQ@mail.gmail.com> <54113486.9020601@gmail.com> <CAEX11nbgia1scyZQjU9VxGiqZPC2bv7rUd6i9BR0U5tF2vZ9Yw@mail.gmail.com> <54113A28.6060305@gmail.com> <6ECDED003BD7418EAD5D555A64F80A68@buildpc>
In-Reply-To: <6ECDED003BD7418EAD5D555A64F80A68@buildpc>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/shplWR-sSCZfTl7zxsNBrF6W7Oo
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Mandatory Public Key based authentication with EAP
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 06:19:22 -0000
Hi Valery, Thanks for popping up :-) You are right of course. The EAP_ONLY_AUTHENTICATION notification is mandatory in this case. I just didn't think of it as an additional condition. Best, Yaron On 09/11/2014 09:15 AM, Valery Smyslov wrote: > Hi Rahul, Yaron, > >> Hi Rahul, >> >> I am not aware of any additional conditions. > > Sorry to pop up, but doesn't text from RFC5998 apply only > to EAP-only authentication? Isn't it an additional condition? > > I mean, that if you perform EAP authentication, as described > in RFC5996, i.e. when responder does send AUTH payload > in its first reply to IKE_AUTH, then even if you use > EAP method with mutual authentiaction, the responder > must use public signature to compute this AUTH payload. > > So, from my reading, RFC5998 updates RFC5996 in the sense, > that responder is not needed to send this AUTH payload > (and therefore, to use PK signature to compute it) > if (and only if) it receives EAP_ONLY_AUTHENTICATION and honors it. > > Regards, > Valery. > >> EAP-AKA is actually listed in the table in RFC 5998, Sec. 4. >> >> Thanks, >> Yaron >> >> On 09/11/2014 08:44 AM, Rahul Vaidya wrote: >>> Thanks for the quick reply, Yaron, >>> >>> So does it mean that if an EAP method provides mutual authentication >>> (e.g., EAP-AKA), then this particular text from 5996 does not apply? Or >>> are their further conditions which are not mentioned in 5998 where still >>> the public key based authentication is required? >>> >>> Regards, >>> Rahul >>> >>> On Thu, Sep 11, 2014 at 11:05 AM, Yaron Sheffer <yaronf.ietf@gmail.com >>> <mailto:yaronf.ietf@gmail.com>> wrote: >>> >>> Hi Rahul, >>> >>> This is why RFC 5998 is listed as "updates 5996". So RFC 5998 does >>> apply here. Note that it only applies in specific cases, and for >>> specific EAP methods. >>> >>> Yes, we should have updated the text in RFC 5996 to refer to 5998, >>> but we forgot. Sigh. >>> >>> Thanks, >>> Yaron >>> >>> >>> On 09/11/2014 06:56 AM, Rahul Vaidya wrote: >>> >>> Dear IPsec Experts, >>> >>> In RFC 4306, 5996 as well as >>> draft-kivinen-ipsecme-ikev2-__rfc5996bis, >>> there is a statement: >>> >>> "An implementation using EAP MUST also use a public-key-based >>> authentication of the server to the client before the EAP >>> exchange >>> begins, even if the EAP method offers mutual authentication." >>> >>> RFC 5998 which updates 5996 says: >>> "This document specifies how EAP methods that provide mutual >>> authentication and key agreement can be used to provide >>> extensible >>> responder authentication for IKEv2 based on methods other than >>> public >>> key signatures." >>> >>> The 2 statements are contradictory, given the 'MUST' >>> requirement for >>> public -key based authentication in RFC 5996. >>> >>> I request a view from the IPsec community on whether public key >>> based >>> authentication can be avoided without impacting the security >>> of the >>> connection/network. >>> >>> Regards, >>> Rahul Vaidya >>> >>> >>> _________________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org <mailto:IPsec@ietf.org> >>> https://www.ietf.org/mailman/__listinfo/ipsec >>> <https://www.ietf.org/mailman/listinfo/ipsec> >>> >>> >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Mandatory Public Key based authentication… Rahul Vaidya
- Re: [IPsec] Mandatory Public Key based authentica… Yaron Sheffer
- Re: [IPsec] Mandatory Public Key based authentica… Rahul Vaidya
- Re: [IPsec] Mandatory Public Key based authentica… Yaron Sheffer
- Re: [IPsec] Mandatory Public Key based authentica… Valery Smyslov
- Re: [IPsec] Mandatory Public Key based authentica… Yaron Sheffer
- Re: [IPsec] Mandatory Public Key based authentica… Tero Kivinen
- Re: [IPsec] Mandatory Public Key based authentica… Tero Kivinen
- Re: [IPsec] Mandatory Public Key based authentica… Yaron Sheffer