[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Final editing changes to IKEv2



How about this:

The responder (gateway) sends the AUTH and the child-sa response in a 
response message following the initiator (client) AUTH payload.

If the client has the EAP machine integrated, this is before receiving 
the EAP success.  If it isn't then we may need an extra round trip.  If 
the client can't tell that the EAP neg has ended until she gets the 
EAP-success (imagine a protocol where the server sends several personal 
questions), then the extra round-trip in necessary.

I think in the general case the extra round trip will not be necessary, 
but gateways will be required to support both cases.

Is this OK?

Yoav
>
> Hi,
>
> Having the responder send the AUTH payload and EAP-Success
> in the same message is OK. However, this does not solve the
> initiator's case. "As soon as it can" is still a bit ambigous,
> and in draft -12 the initiator sends the AUTH payload _before_
> receiving EAP-Success. But EAP peer state machine currently
> "exports" the key only _after_ receiving EAP-Success.
>
> So it seems that we need to either slightly change how EAP works
> or add another roundtrip. Both options are certainly feasible,
> but IMHO the latter requires less work...
>
> Best regards,
> Pasi