[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 9: Identity Protection Closed

To: Barbara Fraser <byfraser@cisco.com>
Subject: Re: Issue 9: Identity Protection Closed
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
Date: Wed, 2 Jul 2003 14:21:22 -0700
Cc: ipsec@lists.tislabs.com, tytso@mit.edu, angelos@cs.columbia.edu, Tero Kivinen <kivinen@ssh.fi>
In-Reply-To: <4.3.2.7.2.20030702104352.03501ee8@mira-sjc5-4.cisco.com>
References: <3F009E0C.5010109@airespace.com> <4.3.2.7.2.20030702104352.03501ee8@mira-sjc5-4.cisco.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mutt/1.5.4i

Hi,

I'm working mainly in PANA WG and EAP WG and I recently joined this
list.  Please allow me to send this email after only rough reading of
the thread on this issue.

First of all, I agree that there is no need to change IKEv2 protocol
behavior to support identity protection from active attacks.

One way to address this is to use an anononymous identifier in IKEv2
ID payload sent by initiator and use a real identifier in an
EAP-Identity exchange (or an identity exchange that may be defined in
a particular EAP authentication method in IKE_AUTH exchange).

If fact, a similar approach already exists.  For example, some
EAP-TTLS implementation allows an EAP peer to use an anonymous
identity (e.g, anonymous@foo.bar.com) in the EAP-Identity
request/response carried outside the TLS tunnel, and use a real
identity (realname@foo.bar.com) in the EAP-Identity request/response
performed inside the TLS tunnel.

On the other hand, the following sentence in section 3.16 of the
ikev2-08 draft seems to be a bit restrictive (if the above solution is
valid)

   "Note that since IKE passes an indication of initiator identity in
   message 3 of the protocol, EAP based prompts for Identity SHOULD NOT
   be used."

So, I'd like to suggest either removing the sentense or revising the
sentense to:

   "Note that since IKE passes an indication of initiator identity in
   message 3 of the protocol, EAP based prompts for Identity SHOULD NOT
   be used if the initiator identity passed from IKE is used as the 
   EAP peer identity."

Regards,
Yoshihiro Ohba

On Wed, Jul 02, 2003 at 10:58:07AM -0700, Barbara Fraser wrote:
> Hi folks,
> 
> Ted and I would like to officially state that the issue of addressing 
> identity protection against active attacks is not going to be included in 
> the base IKEv2 document. This decision was made months ago. There are ways 
> to address this outside the IKEv2 base specification, should folks want to 
> start up a new working group.
> 
> Thanks,
> Barb and Ted

Follow-Ups:
- RE: Issue 9: Identity Protection Closed
  - From: "Yoav Nir" <ynir@CheckPoint.com>

References:
- Issue 9: Identity Protection Closed
  - From: Barbara Fraser <byfraser@cisco.com>

Prev by Date: Issue 9: Identity Protection Closed
Next by Date: Re: IPsec VPN Gateway
Prev by thread: Issue 9: Identity Protection Closed
Next by thread: RE: Issue 9: Identity Protection Closed
Index(es):
- Date
- Thread