[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: clarification on IKEv2 with EAP

To: "'Pasi.Eronen@nokia.com'" <Pasi.Eronen@nokia.com>, ipsec@lists.tislabs.com
Subject: RE: clarification on IKEv2 with EAP
From: "David Mariblanca (ML/EEM)" <david.mariblanca@ericsson.com>
Date: Thu, 1 Apr 2004 14:38:38 +0200
Sender: owner-ipsec@lists.tislabs.com

Ok, I see. I did not remember the EAP messages were already integrity protected and encrypted with Sk_a and Sk_e. Then the AUTH payloads protect the IKE_INIT messages, the ones which were not sent protected since there was not key material yet to do it, correct ?

-----Original Message-----
From: Pasi.Eronen@nokia.com [mailto:Pasi.Eronen@nokia.com]
Sent: jueves, 01 de abril de 2004 13:19
To: David Mariblanca (ML/EEM); ipsec@lists.tislabs.com
Subject: RE: clarification on IKEv2 with EAP

David Mariblanca wrote:

> I will give my interpretation of  chapter 16 and please confirm 
> if it is correct.
> - The EAP payloads are sent in the IKEv2 messages without 
> AUTH payloads. The AUTH payloads are sent only in the last 
> two IKEv2 messages, and they correspond to the last two EAP 
> messages, that is, AUTH in message 7 to EAP payload in 
> message 5, and AUTH in message 8 to EAP payload in message 6

No, AUTH payloads do not authenticate the EAP messages, they
authenticate the IKEv2 SA (basically information from the 
first two IKEv2 messages; first paragraph of Section 2.15 
explains exactly what is included in the "<message octets>").

(All EAP messages are also MAC'd with SK_ar/SK_ai, but this is 
not related to AUTH payloads; the integrity protection is 
included in the "SK{...}" notation).

Best regards,
Pasi

Prev by Date: RE: clarification on IKEv2 with EAP
Next by Date: Re: 2nd try
Previous by thread: RE: clarification on IKEv2 with EAP
Next by thread: RE: clarification on IKEv2 with EAP
Index(es):
- Date
- Thread