[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Final editing changes to IKEv2

To: <ynir@checkpoint.com>, <tytso@mit.edu>
Subject: RE: Final editing changes to IKEv2
From: Pasi.Eronen@nokia.com
Date: Thu, 18 Mar 2004 15:21:36 +0200
Cc: <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-index: AcQMLV+ykNxB3J8+Q6ijbolLuxi8nAAu46eQ
Thread-topic: Final editing changes to IKEv2


Hi,

Having the responder send the AUTH payload and EAP-Success 
in the same message is OK. However, this does not solve the 
initiator's case. "As soon as it can" is still a bit ambigous, 
and in draft -12 the initiator sends the AUTH payload _before_ 
receiving EAP-Success. But EAP peer state machine currently 
"exports" the key only _after_ receiving EAP-Success.

So it seems that we need to either slightly change how EAP works 
or add another roundtrip. Both options are certainly feasible, 
but IMHO the latter requires less work...

Best regards,
Pasi

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of ext Yoav Nir
> Sent: Wednesday, March 17, 2004 3:32 PM
> To: Theodore Ts'o
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Final editing changes to IKEv2
> 
> 
> 
> This is one message that proposed two options, and did not 
> receive any 
> responses.  Is this a consensus?
> 
> Anyway, EAP is originally a PPP protocol.  The last message 
> (success/failure) is not meant to be reliable.  If it is lost, its 
> existence can be inferred in PPP by what happens next (IPCP 
> in case of 
> success, or LCP terminate in case of failure).  There is never any 
> response to the EAP success message, so there is no need for the IKE 
> machine to send it to the client as soon as it is received.
> 
> If the EAP machine first sends the Authentication success, and 
> afterwards sends the key (or the reverse), the IKE machine should 
> buffer whichever comes first until the other arrives, and then send 
> both the EAP success and the auth payload in one message just 
> as it is 
> specified in -12.
> 
> It should be possible to resolve the ambiguity by saying that the 
> client sends the AUTH payload as soon as it can, while the 
> server sends 
> it in the last packet along with the Success/Failure message. 
>  I don't 
> see a reason to add an extra roundtrip.
> 
> On Mar 16, 2004, at 7:54 PM, Theodore Ts'o wrote:
> 
> >
> > The following represent the final changes that we believe the IPSEC
> > working group has developed a consensus to make to IKEv2.  If anyone
> > has any problems to these set of changes, please make them 
> known within
> > 48 hours.  Otherwise, they will represent editing 
> instructions to the
> > IKEv2 document editor before we submit this document to the Area
> > Director for IETF Last Call.
> >
> > 2. Add an additional round trip when utilizing  EAP to avoid the
> >    ambiguity of what "after having sufficient information 
> to compute 
> > the
> >    key" might mean.  This is commonly done in most other 
> applications
> >    that utilize EAP.
> >
> >     http://www.vpnc.org/ietf-ipsec/mail-archive/msg02719.html
> >
> 
>

Prev by Date: Re: Document
Next by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Previous by thread: Re: Final editing changes to IKEv2
Next by thread: RE: Final editing changes to IKEv2
Index(es):
- Date
- Thread