Re: [Ipsec] IKEv2 identifier issue with EAP
Jari Arkko <jari.arkko@piuha.net> Tue, 17 August 2004 04:16 UTC
Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 17 Aug 2004 04:17:17 +0000
Message-ID: <41218683.80508@piuha.net>
Date: Tue, 17 Aug 2004 07:16:03 +0300
From: Jari Arkko <jari.arkko@piuha.net>
Reply-To: jari.arkko@piuha.net
Organization: None
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316
MIME-Version: 1.0
To: "'radiusext@ops.ietf.org'" <radiusext@ops.ietf.org>
Cc: Charlie Kaufman <charliek@microsoft.com>
Subject: Re: [Ipsec] IKEv2 identifier issue with EAP
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Copying the RADEXT list on my question to the IPsec WG and Charlie Kaufman's response: Charlie Kaufman wrote: > I agree that this is likely to become a problem, that any of your > 'possible solutions' could be used to fix it (except that I don't > believe the first two 'define the problem away' were serious proposals), > and that the community SHOULD agree on one standard approach to maximize > interoperability. > > My favorite would be: > o Go against the SHOULD NOT when the given NAI requires this. > > ...because this also addresses the identity type hint that you say might > be coming. But others have argued heatedly that it is important to > minimize the number of messages in an IKE exchange, and this would > result in an eight message exchange while some of the other proposals > work in six. > > I'm really glad it's not my job anymore to herd the cats towards one > approach or the other. > > --Charlie > > p.s. If you are going to define a new ID type, it would need to be added > to the IANA registry for IKEv2. The procedure for this is "expert > review". It could probably be defined in some EAP RFC and ratified by > some expert chosen by the security ADs, but I don't know. > > > -----Original Message----- > From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf > Of Jari Arkko > Sent: Monday, August 16, 2004 4:17 AM > To: IPsec WG > Cc: Bernard Aboba > Subject: [Ipsec] IKEv2 identifier issue with EAP > > > First some background: In traditional EAP usage, the client's identifier > has been determined through the EAP Identity Request/Response exchange. > The identifier is typically a Network Access Identifier (NAI). Basically > an identifier similar to an e-mail address, used to identify the user > and to find the right home network in case of a roaming user. > > IKEv2-14 says the following: > > Note that since IKE passes an indication of initiator identity in > message 3 of the protocol, EAP based prompts for Identity SHOULD NOT > be used. > > it also defines one of the identity type as follows: > > ID_RFC822_ADDR 3 > > A fully-qualified RFC822 email address string, An example of > a ID_RFC822_ADDR is, "jsmith@example.com". The string MUST > not contain any terminators. > > In the RADEXT and EAP WGs, we have recently discussed some > problems that this causes. Here are the issues: > > 1. A revision of the NAI specification, RFC 2486bis, intends > to extend the existing user@domain format in > draft-arkko-roamops-rfc2486bis-02.txt, partially based on > existing practise. This spec is currently in WGLC in the > RADEXT WG. > > One of the extensions is to allow the client's identity > to be hidden from the access server / IKEv2 gateway, > if the used EAP method supports end-to-end encrypted > tranmission of the identity. Syntactically, this > happens through specifying an empty username, "@domain" > but keeping the domain pawrt in order to make the AAA > routing possible. > > The issue with IKEv2 is strictly speaking, this > string would be illegal in RFC 822. Hence an IKEv2 > implementation can not be relied upon to accept such > "privacy" user names. > > 2. Another extension from this draft is internationalized > NAIs. The domain parts are IDNs, i.e., converted to ASCII > via a specific mapping, but the username part is UTF-8. > Again, this is strictly speaking not conformant to RFC 822, > so sending an internationalized username via IKEv2 might > not be possible. For instance, someone might be assigned > a username for WLAN access, but the usage of this username > for IKEv2 purposes might not be possible if it contains > international characters. > > Some of the possible solutions to avoid this problem > include > > o Decide that support of privacy & international usernames > is not necessary in IKEv2. > > o Remove the privacy and international username (not domain) > parts from RFC 2486bis. > > o Change the international username part so that instead of > UTF-8, it uses a IDN-like ASCII mapping which can represent > non-ASCII characters but it looks like ASCII to the carrier. > Either remove the privacy feature or just say it can not > be used in all carrier protocols. > > o Define a new IKEv2 ID type to carry the new types NAIs. > (If so, would this type be defined in the NAIbis, IKEv2 > or some other draft?) > > o Rely on IKEv2 implementations to not check the contents > of the identifier for RFC 822 compliance. > > o Go against the SHOULD NOT when the given NAI requires this. > > 3. Ongoing work (and some existing practise) provides some > information through the EAP identity request. More specifically, > the client can get a hint of what type of identifier it should > offer. See draft-adrangi-eap-network-discovery-03.txt. > > This functionality does not appear to be present when running > EAP over IKEv2. (I have not heard of any customer who wanted > this functionality in this context, but I'd like to avoid > special cases where possible.) -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- Re: [Ipsec] IKEv2 identifier issue with EAP Jari Arkko