[Ipsec] Repeated Authentication in IKEv2

[Yoav Nir <ynir@checkpoint.com>]

Hi All

Several weeks ago there was a discussion here about repeating the 
authentication in IKE.  The rationale is that a peer may be taken over 
by another user without deleting the SAs, and so the new user can use 
the tunnel without authentication.  The most likely example would be a 
public computer with a remote-access client, where the user forgot to 
click the "Disconnect" button.
The proposed solution was to have original Initiator repeat the 
authentication periodically.  It is up to the original Initiator to 
initiate the IKE exchange (becuase the user may have to enter a 
password or insert a USB token or some such), but the policy as to how 
often this should be done is up to the Responder.  That policy needs to 
be sent to the Initiator through some kind of notification.

At the time it was agreed that it is too late to include in the IKEv2 
draft, but rather that it should be an optional extension.

Here's a link to the draft.  Your comments are welcome.

http://www.ietf.org/internet-drafts/draft-nir-ikev2-auth-lt-00.txt

Yoav Nir


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec