[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure legacy authentication for IKEv2

To: Charlie_Kaufman@notesdev.ibm.com
Subject: Re: Secure legacy authentication for IKEv2
From: Derek Atkins <derek@ihtfp.com>
Date: 08 Feb 2003 20:17:03 -0500
Cc: Derrell Piper <ddp@electric-loft.org>, ipsec@lists.tislabs.com
In-Reply-To: <OFA0B57355.764A989D-ON85256CB8.000E3444-85256CB8.000FCD51@notesdev.ibm.com>
References: <OFA0B57355.764A989D-ON85256CB8.000E3444-85256CB8.000FCD51@notesdev.ibm.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

Sorry for the delayed reply....

Charlie_Kaufman@notesdev.ibm.com writes:

> > This question is really directed at folks who have implementation
> > experience with EAP.  Is it the case that existing EAP implementations
> > generally do not require the optional identity exchange when they have
> > an identity available from some other out-of-band source?  I was hoping
> > some EAP folks would speak up here...  Or do you sometimes masquerade
> > in an EAP hat?  :-)
> 
> I checked my hat collection and none say EAP. I agree it would be nice to
> get feedback. Anyone???

I do not claim to be an EAP expert, but I have been working on a
Kerberos EAP method (so I do have some EAP experience printed on my
hat).  The answer is yes, the Identity is not required.  If the server
can somehow deduce the client's identity then it can initiate the EAP
Challenge directly to the client without the Identity Request.

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Prev by Date: Re: IKEV2: Issue #1: Legacy Authentication
Next by Date: Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
Prev by thread: Re: IKEV2: Issue #4 Revised Identity
Next by thread: Ready for IETF Last Call draft-ietf-ipsec-dpd-01.txt
Index(es):
- Date
- Thread