[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Using config mode together with extended authentication

To: <ddukes@cisco.com>, <ipsec@lists.tislabs.com>
Subject: RE: Using config mode together with extended authentication
From: "Geoffrey Huang" <ghuang@cisco.com>
Date: Thu, 13 Mar 2003 13:26:58 -0800
Cc: "'Charlie Kaufman'" <ckaufman@notesdev.ibm.com>
Importance: Normal
In-Reply-To: <JJEIIAMEIEEPEILEFFODCEIAEIAA.ddukes@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

OK - that's what I thought, that CP brackets the EAP exchange.  I just
wanted to be sure.  It'd be good to add the example below to the
document.

-g

> -----Original Message-----
> From: Darren Dukes [mailto:ddukes@cisco.com] 
> Sent: Thursday, March 13, 2003 1:20 PM
> To: Geoffrey Huang; ipsec@lists.tislabs.com
> Cc: Charlie Kaufman
> Subject: RE: Using config mode together with extended authentication
> 
> 
> In the scenario you mention the CP is sent before SAi2 and 
> SAr2.  So the
> initiator sends CP(CFG_REQUEST) in the first IKE_AUTH exchange and the
> responder sends CP(CFG_REPLY) in the last IKE_AUTH exchange.  
> Using the EAP
> example from the IKEv2-05 draft and inserting CP it would 
> look like this...
> 
> Initiator                          Responder
> -----------                        -----------
> HDR, SAi1, KEi, Ni         -->
>                            <--    HDR, SAr1, KEr, Nr, [CERTREQ]
> HDR, SK {IDi, [CERTREQ,] [IDr,]
>          [CP], SAi2, TSi, TSr}   -->
>                            <--    HDR, SK {IDr, [CERT,] AUTH,
>                                            EAP }
> HDR, SK {EAP, [AUTH] }     -->
>                            <--    HDR, SK {EAP, [AUTH],
>                                            [CP], SAr2, TSi, TSr }
> 
> 
> Charlie, could you add the CP payloads to the example for EAP 
> so this is
> clearer?
> 
> Darren
> 
> 
> 
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Geoffrey Huang
> > Sent: Thursday, March 13, 2003 3:08 PM
> > To: ipsec@lists.tislabs.com
> > Subject: Using config mode together with extended authentication
> >
> >
> > I've looked over the sections regarding EAP/XAuth and Config mode in
> > IKEv2-05, and there are packet descriptions in each section 
> describing
> > what IKE looks like if either one is used.  But what 
> happens if you do
> > the cfg request and EAP?  Based on the EAP description, the 
> responder
> > sends an EAP request in the 4th message, starting off an 
> EAP exchange.
> >
> > But the Cfg Request description says that the initiator sends a CP
> > payload before the SAi2 payload.  Does this mean that if we 
> do both CP
> > and EAP it looks like:
> >
> > INIT             RESPO
> > msg1   ---->
> >        <----     msg2
> > msg3+CP ---->
> >        <----     msg4+EAP
> > EAP    ---->
> >        <----     CP reply, etc.
> >
> > Maybe it's described in the document, and I just missed it.
> >
> > -g
> >
> 
>

References:
- RE: Using config mode together with extended authentication
  - From: "Darren Dukes" <ddukes@cisco.com>

Prev by Date: RE: Using config mode together with extended authentication
Next by Date: Re: Another field for traffic selector?
Prev by thread: RE: Using config mode together with extended authentication
Next by thread: RE: Using config mode together with extended authentication
Index(es):
- Date
- Thread