IETF Logo Mail Archive

Re: [IPsec] Mandatory Public Key based authentication with EAP

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 11 September 2014 06:19 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC171A04AA for <ipsec@ietfa.amsl.com>; Wed, 10 Sep 2014 23:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnHnFL86Omwa for <ipsec@ietfa.amsl.com>; Wed, 10 Sep 2014 23:19:20 -0700 (PDT)
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87F201A01FF for <ipsec@ietf.org>; Wed, 10 Sep 2014 23:19:20 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id y10so5037852wgg.3 for <ipsec@ietf.org>; Wed, 10 Sep 2014 23:19:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=jMa/EQ2th6sNIJucUzcLalu2maJslc/3HGOavprJy3k=; b=qvY3A5SaaXViSiWG0unqbhjPRWrtYMLmx2yMkdCson2QkVjdyj7QjskiD6wd28Xk57 vEjh78hNMhPhJEOLvgDw4sfvMkuennTCuTPqqetaxAh19dPzfl6cwJ307kQbmDPlnWQR yL9e+UgEZr+10fe4LwvDCOEymUVOgPG8c5xR7m/rqM+qPXiF4eDTVanmIKBW9/VHT0MQ R5DfbSPeAc1HBuuLDk/BJGhZ+0KOSWWfM10Dne7LmcM5iFxHYyQ8P2Kf4CMwsmP1wqFo IyWAgup0JXcGnMkK106O4G3YaQpdILo3MXLj5B0HWhlxNUZR5TVyVnQ1adAIehTcFBw2 v2eA==
X-Received: by 10.194.94.73 with SMTP id da9mr33283923wjb.67.1410416359040; Wed, 10 Sep 2014 23:19:19 -0700 (PDT)
Received: from [10.0.0.4] (bzq-79-177-0-22.red.bezeqint.net. [79.177.0.22]) by mx.google.com with ESMTPSA id i6sm4777475wib.7.2014.09.10.23.19.18 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Sep 2014 23:19:18 -0700 (PDT)
Message-ID: <54113EE3.6040402@gmail.com>
Date: Thu, 11 Sep 2014 09:19:15 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Valery Smyslov <svanru@gmail.com>, Rahul Vaidya <rahul.stds@gmail.com>
References: <CAEX11nYFEj-f8m-8fK-j7FH-EDavG0XgmJwonFMj_V_5eJHFzQ@mail.gmail.com> <54113486.9020601@gmail.com> <CAEX11nbgia1scyZQjU9VxGiqZPC2bv7rUd6i9BR0U5tF2vZ9Yw@mail.gmail.com> <54113A28.6060305@gmail.com> <6ECDED003BD7418EAD5D555A64F80A68@buildpc>
In-Reply-To: <6ECDED003BD7418EAD5D555A64F80A68@buildpc>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/shplWR-sSCZfTl7zxsNBrF6W7Oo
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Mandatory Public Key based authentication with EAP
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 06:19:22 -0000

Hi Valery,

Thanks for popping up :-)

You are right of course. The EAP_ONLY_AUTHENTICATION notification is 
mandatory in this case. I just didn't think of it as an additional 
condition.

Best,
	Yaron

On 09/11/2014 09:15 AM, Valery Smyslov wrote:
> Hi Rahul, Yaron,
>
>> Hi Rahul,
>>
>> I am not aware of any additional conditions.
>
> Sorry to pop up, but doesn't text from RFC5998 apply only
> to EAP-only authentication? Isn't it an additional condition?
>
> I mean, that if you perform EAP authentication, as described
> in RFC5996, i.e. when responder does send AUTH payload
> in its first reply to IKE_AUTH, then even if you use
> EAP method with mutual authentiaction, the responder
> must use public signature to compute this AUTH payload.
>
> So, from my reading, RFC5998 updates RFC5996 in the sense,
> that responder is not needed to send this AUTH payload
> (and therefore, to use PK signature to compute it)
> if (and only if) it receives EAP_ONLY_AUTHENTICATION and honors it.
>
> Regards,
> Valery.
>
>> EAP-AKA is actually listed in the table in RFC 5998, Sec. 4.
>>
>> Thanks,
>> Yaron
>>
>> On 09/11/2014 08:44 AM, Rahul Vaidya wrote:
>>> Thanks for the quick reply, Yaron,
>>>
>>> So does it mean that if an EAP method provides mutual authentication
>>> (e.g., EAP-AKA), then this particular text from 5996 does not apply? Or
>>> are their further conditions which are not mentioned in 5998 where still
>>> the public key based authentication is required?
>>>
>>> Regards,
>>> Rahul
>>>
>>> On Thu, Sep 11, 2014 at 11:05 AM, Yaron Sheffer <yaronf.ietf@gmail.com
>>> <mailto:yaronf.ietf@gmail.com>> wrote:
>>>
>>>     Hi Rahul,
>>>
>>>     This is why RFC 5998 is listed as "updates 5996". So RFC 5998 does
>>>     apply here. Note that it only applies in specific cases, and for
>>>     specific EAP methods.
>>>
>>>     Yes, we should have updated the text in RFC 5996 to refer to 5998,
>>>     but we forgot. Sigh.
>>>
>>>     Thanks,
>>>              Yaron
>>>
>>>
>>>     On 09/11/2014 06:56 AM, Rahul Vaidya wrote:
>>>
>>>         Dear IPsec Experts,
>>>
>>>         In RFC 4306, 5996 as well as
>>>         draft-kivinen-ipsecme-ikev2-__rfc5996bis,
>>>         there is a statement:
>>>
>>>         "An implementation using EAP MUST also use a public-key-based
>>>         authentication of the server to the client before the EAP
>>> exchange
>>>         begins, even if the EAP method offers mutual authentication."
>>>
>>>         RFC 5998 which updates 5996 says:
>>>         "This document specifies how EAP methods that provide mutual
>>>         authentication and key agreement can be used to provide
>>> extensible
>>>         responder authentication for IKEv2 based on methods other than
>>>         public
>>>         key signatures."
>>>
>>>         The 2 statements are contradictory, given the 'MUST'
>>> requirement for
>>>         public -key based authentication in RFC 5996.
>>>
>>>         I request a view from the IPsec community on whether public key
>>>         based
>>>         authentication can be avoided without impacting the security
>>> of the
>>>         connection/network.
>>>
>>>         Regards,
>>>         Rahul Vaidya
>>>
>>>
>>>         _________________________________________________
>>>         IPsec mailing list
>>>         IPsec@ietf.org <mailto:IPsec@ietf.org>
>>>         https://www.ietf.org/mailman/__listinfo/ipsec
>>>         <https://www.ietf.org/mailman/listinfo/ipsec>
>>>
>>>
>>
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email