[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: clarification on IKEv2 with EAP
David Mariblanca wrote:
> I will give my interpretation of chapter 16 and please confirm
> if it is correct.
> - The EAP payloads are sent in the IKEv2 messages without
> AUTH payloads. The AUTH payloads are sent only in the last
> two IKEv2 messages, and they correspond to the last two EAP
> messages, that is, AUTH in message 7 to EAP payload in
> message 5, and AUTH in message 8 to EAP payload in message 6
No, AUTH payloads do not authenticate the EAP messages, they
authenticate the IKEv2 SA (basically information from the
first two IKEv2 messages; first paragraph of Section 2.15
explains exactly what is included in the "<message octets>").
(All EAP messages are also MAC'd with SK_ar/SK_ai, but this is
not related to AUTH payloads; the integrity protection is
included in the "SK{...}" notation).
Best regards,
Pasi