[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about reauthentication



Hi all.

With some IKE scenarios, especially with remote access, people have a need
for the IKE peer to authenticate periodically.  This is meant to prevent a
case where the user left his computer (or, say, his seat in the Internet
cafe) and now anybody can use the open VPN tunnel.  We want the user to
enter their credentials again.

In IKEv1 we would just require the user to run Phase1 again, expiring the
IKE SA every 1-2 hours.

What would be the proper way in IKEv2?

One solution would be to require the whole initial exchange again.  This
is consistent with the IKEv1 solution, but it unnecessarity ties re-keying
with re-authentication.  It is also not the proper way to re-key in IKEv2.

Another solution would be to have the client do a stand-alone AUTH
exchange.  This does not generate keys, and is shorter.  The problem is
what do we sign in this AUTH exchange?  Is it message 2 of the original
INITIAL exchange?  Do we need to keep in indefinitely?  It is feasible,
but slightly weird.

Any other ideas?