[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] Repeated Authentication in IKEv2
Hi All
Several weeks ago there was a discussion here about repeating the
authentication in IKE. The rationale is that a peer may be taken over
by another user without deleting the SAs, and so the new user can use
the tunnel without authentication. The most likely example would be a
public computer with a remote-access client, where the user forgot to
click the "Disconnect" button.
The proposed solution was to have original Initiator repeat the
authentication periodically. It is up to the original Initiator to
initiate the IKE exchange (becuase the user may have to enter a
password or insert a USB token or some such), but the policy as to how
often this should be done is up to the Responder. That policy needs to
be sent to the Initiator through some kind of notification.
At the time it was agreed that it is too late to include in the IKEv2
draft, but rather that it should be an optional extension.
Here's a link to the draft. Your comments are welcome.
http://www.ietf.org/internet-drafts/draft-nir-ikev2-auth-lt-00.txt
Yoav Nir
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec