[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: EAP Roundtrips (was: Temporary version of the new IKEv2 draft)



I made the revisions to IKEv2-13 over the weekend without having seen
the discussion of EAP roundtrips on the mailing list Friday. The change
reflects the instructions I got from Ted on 3/16.

I am happy to change it again if that is the working group consensus,
but I'll mention the argument on the other side.

While minimizing round trips has been a priority in designing IKEv2,
minimizing protocol variations has also been a priority. By allowing the
initiator to put the AUTH payload in either of two messages, the
responder is required to accept it in either message. While this does
not substantially complicate an implementation based on a state machine,
it does complicate testing in that both protocol variants would have to
be tested. It was this sort of argument that prevented us from having an
"optional" additional exchange for EAP to prompt for identity (which
arguably offers security advantages in some scenarios).

So if we're going to do this, I want Ted and Barbara to officially
declare consensus. And I guess that means if there are objections,
people should express them now. If that looks like the direction, I'll
post proposed language to the list before doing another revision.

And I hope this can all go on in parallel with IETF last call.

	--Charlie

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Yoav Nir
Sent: Wednesday, March 24, 2004 7:42 AM
To: ipsec@lists.tislabs.com; Paul Hoffman / VPNC
Subject: EAP Roundtrips (was: Temporary version of the new IKEv2 draft)

Again, regarding section 2.16, I believe it should say, that the 
Initiator MAY send the AUTH payload before the EAP-success message, in 
which case the Responder SHOULD send the AUTH, SAr2, TSi, TSr along 
with the EAP-success.  In this case, the initial SA establishment will 
be shortened to 6 messages.