[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RE2: Do ipsec vendors care about privacy?

To: ipsec@lists.tislabs.com
Subject: Re: RE2: Do ipsec vendors care about privacy?
From: Tero Kivinen <kivinen@ssh.fi>
Date: Sat, 22 Mar 2003 02:46:44 +0800
CC: Gregory Lebovitz <Gregory@netscreen.com>, hugo@ee.technion.ac.il
References: <Pine.GSO.4.21.0303201856440.3159-100000@ee.technion.ac.il>
Sender: owner-ipsec@lists.tislabs.com

hugo@ee.technion.ac.il (Hugo Krawczyk) writes:
> The question is: DOES THE RESPONDER (GATEWAY) NEED TO KNOW the value IDi 
> IN ORDER TO DETERMINE THE CONTENTS OF THE EAP PAYLOAD SENT IN MESSAGE 4?

If the responder cannot even do the policy lookup based on the
identity? If have correctly understood the EAP, then it can support
multiple authentication methods, i.e for example say that user
"kivinen" the authentication method used is one-time password and for
the user "hugo" the authentication method used is the generic token
card.

Now when the responder only knows that it is someone connecting who
want to do EAP, how does he know which of those EAP authentication
types it should start?

Note, that in EAP there is also way to transport the identity inside
EAP packet, and in that case we do no need the external identity. In
the IKEv2 the EAP specification is trying to get rid of that exchange,
because it adds one more round trip and because we already have the
identity of the initiator (in the IDi payload). 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:
- Re: RE2: Do ipsec vendors care about privacy?
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: IKEv2: prepending four octets
Next by Date: Re: Secure remote access with IPsec
Prev by thread: Re: RE2: Do ipsec vendors care about privacy?
Next by thread: Re: RE2: Do ipsec vendors care about privacy?
Index(es):
- Date
- Thread