[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: clarification on IKEv2 with EAP

To: <david.mariblanca@ericsson.com>, <ipsec@lists.tislabs.com>
Subject: RE: clarification on IKEv2 with EAP
From: Pasi.Eronen@nokia.com
Date: Thu, 1 Apr 2004 14:18:35 +0300
Sender: owner-ipsec@lists.tislabs.com
Thread-index: AcQX2PIkeuU6hdrCThSTI8wIb33EOgAANmPg
Thread-topic: clarification on IKEv2 with EAP

David Mariblanca wrote:

> I will give my interpretation of  chapter 16 and please confirm 
> if it is correct.
> - The EAP payloads are sent in the IKEv2 messages without 
> AUTH payloads. The AUTH payloads are sent only in the last 
> two IKEv2 messages, and they correspond to the last two EAP 
> messages, that is, AUTH in message 7 to EAP payload in 
> message 5, and AUTH in message 8 to EAP payload in message 6

No, AUTH payloads do not authenticate the EAP messages, they
authenticate the IKEv2 SA (basically information from the 
first two IKEv2 messages; first paragraph of Section 2.15 
explains exactly what is included in the "<message octets>").

(All EAP messages are also MAC'd with SK_ar/SK_ai, but this is 
not related to AUTH payloads; the integrity protection is 
included in the "SK{...}" notation).

Best regards,
Pasi

Prev by Date: RE: clarification on IKEv2 with EAP
Next by Date: RE: clarification on IKEv2 with EAP
Previous by thread: RE: clarification on IKEv2 with EAP
Next by thread: RE: clarification on IKEv2 with EAP
Index(es):
- Date
- Thread