[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: [IPsec] Issue #32 Demoted SHOULD: EAP Identity Request
From: Tero Kivinen <kivinen () iki ! fi>
Date: 2008-09-23 13:58:44
Message-ID: 18648.62996.136882.689426 () fireball ! kivinen ! iki ! fi
[Download RAW message or body]
> > 3.16. Extensible Authentication Protocol (EAP) Payload
> ...
> > {{ Demoted the SHOULD NOT and SHOULD }} Note that since IKE passes an
> > indication of initiator identity in message 3 of the protocol, the
> > responder should not send EAP Identity requests. The initiator may,
> > however, respond to such requests if it receives them.
>
> This is again bits on the wire protocol change if someone after this
> does not follow the SHOULD NOT and SHOULD written here before. I think
> it should be kept as it was before.
>
> ===Not done. Disagree about this being bits on the wire because the responder
> might have sent the request anyway.
I do think it is protocol change if responder is changed from not
sending identity request to sending them. The reason this was not MUST
was that it might have been impossible to implement the EAP identity
request skipping in some EAP libraries. The clear intention was that
EAP Identity requests and replies SHOULD NOT be used. And the SHOULD
there meant exactly what "SHOULD" means, i.e. "that there may exist
valid reasons in particular circumstances to ignore a particular item,
but the full implications must be understood and carefully weighed
before choosing a different course."
I.e. the valid reason for not skipping identity request would have
been that it is impossible because the EAP library does them
automatically and they cannot be disabled. The bad thing about doing
EAP identity request is that the policy lookups for the entity are NOT
done based on them, but based on the ID payloads in the IKEv2. If the
identity payloads mismatch (i.e. EAP payloads claim I am
kivinen@iki.fi, but the ID payload claims I am paul.hoffman@vpnc.org),
the authentication might still succeed as EAP library just uses the
EAP identity payload to verify the credentials, but IKE library uses
the ID sent in the IKE, and nobody matches that those two matches.
BTW, I think we need to add some text that says those identities must
match or at least you MUST use the EAP identity for access control and
policy lookups, and also add some text to security considerations
section.
--
kivinen@safenet-inc.com
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic