[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP Roundtrips (was: Temporary version of the new IKEv2 draft)

To: ipsec@lists.tislabs.com
Subject: Re: EAP Roundtrips (was: Temporary version of the new IKEv2 draft)
From: Jari Arkko <jari.arkko@kolumbus.fi>
Date: Fri, 02 Apr 2004 17:14:30 +0300
Cc: Tero Kivinen <kivinen@iki.fi>, Charlie Kaufman <charliek@microsoft.com>, Yoav Nir <ynir@checkpoint.com>, Pasi Eronen <Pasi.Eronen@nokia.com>, Hannes Tschofenig <Hannes.Tschofenig@siemens.com>, Joe Salowey <jsalowey@cisco.com>, Yoshihiro Ohba <yohba@tari.toshiba.com>
In-reply-to: <16482.57692.830072.313565@fireball.acr.fi>
References: <F5F4EC6358916448A81370AF56F211A5023E4B34@RED-MSG-51.redmond.corp.microsoft.com> <16482.57692.830072.313565@fireball.acr.fi>
Sender: owner-ipsec@lists.tislabs.com
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007


This e-mail tries to summarize the discussions we had on
the EAP WG mailing list and (mostly) privately between the
some of the EAP state machine and methods folks. Yoshihiro,
Pasi, Joe, Hannes -- feel free to add or correct as
appropriate.

The question was whether one roundtrip should be eliminated
from IKEv2, by making it possible (but optional) to send an
AUTH payload from the client as soon as the client has generated
a key from EAP, and not wait until EAP Success packet has
been received from the gateway.

No strong opinions were presented, but the consensus we seem
to have arrived at is that its simpler and better to spend
the extra roundtrip than to add a protocol variation, a change
of EAP state machine draft, and possibly some EAP method and
API implementation changes for systems that want to take
advantage of this.

The following points were brought up:

  o  Yoshihiro analyzed the potential impacts of the EAP state
     machine change for 802.11 wireless LANs which also use
     EAP. It was found that the change would NOT have an
     impact in 802.11, i.e., from that point of view the
     change is possible.

  o  EAP in general is able to survive the loss of the
     EAP Success message (which is not retransmitted).

  o  OTOH, there is a need to define "when key is available"
     precisely. Some EAP methods might have a key available
     before the endpoints have authenticated each other, for
     instance. EAP base specification sets requirements for
     EAP methods, but it does not talk about what methods
     definitions should say about the matter. Many methods
     have already been defined; this might lead to different
     interpretations in different implementations.

  o  Joe brought up the possibility of EAP methods where the
     client does not know whether the server is yet finished;
     if the client would send an AUTH payload when its done
     the server might still have to perform roundtrips. This
     would have to be taken in account in the IKEv2 spec.

  o  Number of roundtrips is a concern for many people.
     But Tero's and Charlie's worry about protocol variants
     is also a concern, as is the need to ensure that the
     early key availability suits the particular EAP method.

--Jari

Prev by Date: RE: clarification on IKEv2 with EAP
Next by Date: Re: 2nd try
Previous by thread: ikev2-13 CERTREQ processing still needs work
Next by thread: Outbound SA Bundle processing
Index(es):
- Date
- Thread