RE: IKEv2 issue in RFC2486bis
Tschofenig Hannes <hannes.tschofenig@siemens.com> Mon, 16 August 2004 06:57 UTC
Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 16 Aug 2004 06:59:26 +0000
Message-ID: <2A8DB02E3018D411901B009027FD3A3F046864EC@mchp905a.mch.sbs.de>
From: Tschofenig Hannes <hannes.tschofenig@siemens.com>
To: 'Yoshihiro Ohba' <yohba@tari.toshiba.com>, radiusext@ops.ietf.org
Subject: RE: IKEv2 issue in RFC2486bis
Date: Mon, 16 Aug 2004 08:57:40 +0200
MIME-Version: 1.0
Content-Type: text/plain
hi yoshi, i am very much in favour of your proposal for adding new IKEv2 ID type. i have sent the ikev2 folks a mail about this issue many months ago. no reply. i hope it will be different now. ciao hannes ps: i also dislike the mentioned paragraph from section 3.16. > -----Original Message----- > From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] > Sent: Sunday, August 29, 2004 7:12 PM > To: radiusext@ops.ietf.org > Subject: IKEv2 issue in RFC2486bis > > Hi, > > I had a discussion with Jari, Bernard and Pasi on an IKEv2 > issue of RFC2486bis and the following is the summary of the > discussion (please correct if I am wrong): > > Section 3.16 of draft-ietf-ipsec-ikev2-14.txt says: > > " > Note that since IKE passes an indication of initiator identity in > message 3 of the protocol, EAP based prompts for Identity > SHOULD NOT > be used. > " > > This means that an RFC2486bis NAI may be carried in an IKEv2 > Identity Payload when EAP is used in IKEv2. In this case, > there is an issue of which ID Type of IKEv2 Identification > Payload is appropriate to carry the RFC2486bis NAI. > > One possibility is using ID_RFC822_ADDR, but RFC822 address > is not compatible with RFC2486bis NAI at least in that (i) > RFC822 address does NOT allow the characters preceding "@" > (i.e., local-part) to be null and (ii) RFC822 address does > NOT allow ASCII control characters to appear in local-part > without being quoted as quoted-string (thus a > UTF-8 encoded username with containing ASCII control > characters is not compatible with local-part of RFC822 address.) > > Since IKEv2 specification does not prohibit an implementation > to perform strict check against RFC 822 format and returns an > error Notification with "INVALID_SYNTAX" when the strict > check fails, I think using ID_RFC822_ADDR for RFC2486bis NAI > has an interoperability problem. Using ID_KEY_ID is not > appropriate to carry RFC2486bis either, since it is used for > carrying certain proprietary types of identification. > > To solve the problem, I would suggest defining a new IKEv2 > Identification Payload Type to carry RFC2486bis NAI. > > Also, draft-ietf-ipsec-ikev2-iana-02.txt says: > > " > 7.1 Amending formula for IKEv2 Identification Payload ID Types > > IKEv2 Identification Payload ID Types may be allocated by > Specification Required. > " > > So I think RFC2486bis could be the Specification where the > new IKEv2 ID Type is defined. > > This was not discussed, but when a given RFC2486bis NAI also > conforms to RFC822 address, I think such an NAI can also be > carried as ID_RFC822_ADDR ID type. > > Best regards, > > Yoshihiro Ohba > > -- > to unsubscribe send a message to > radiusext-request@ops.ietf.org with the word 'unsubscribe' in > a single line as the message text body. > archive: <http://psg.com/lists/radiusext/> > -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- RE: IKEv2 issue in RFC2486bis Tschofenig Hannes
- Re: IKEv2 issue in RFC2486bis Jari Arkko
- Re: IKEv2 issue in RFC2486bis Bernard Aboba
- Re: IKEv2 issue in RFC2486bis Jari Arkko
- Re: IKEv2 issue in RFC2486bis Bernard Aboba
- Re: IKEv2 issue in RFC2486bis Jari Arkko
- Re: IKEv2 issue in RFC2486bis Jari Arkko
- IKEv2 issue in RFC2486bis Yoshihiro Ohba