Re: [IPsec] WG Last Call: draft-ietf-ipsecme-ikev2-redirect-08

Tue, 21 Apr 2009 03:29:43 -0700 

So are we working with the assumption that the gateway (or the AAA server) can 
always authenticate any user that connects? 

> -----Original Message-----
> From: Yaron Sheffer 
> Sent: Monday, April 20, 2009 10:43 AM
> To: Yoav Nir; Vijay Devarapalli
> Cc: IPsecme WG
> Subject: RE: [IPsec] WG Last Call: 
> draft-ietf-ipsecme-ikev2-redirect-08
> 
> Below.
> 
> > -----Original Message-----
> > From: Yoav Nir
> > Sent: Monday, April 20, 2009 10:30
> > To: Vijay Devarapalli
> > Cc: Yaron Sheffer; IPsecme WG
> > Subject: RE: [IPsec] WG Last Call: 
> > draft-ietf-ipsecme-ikev2-redirect-08
> > 
> > Hi
> > 
> > Come to think of it, I'm wondering about something else.
> > 
> > Let's suppose that the gateway cannot tell where the user 
> should connect.
> > The EAP exchange with the AAA server begins. The AAA server 
> realizes 
> > that the user name ("jdoe") is not in its database, and the user 
> > should be redirected to gateway B.
> > 
> > What now?  Does it complete the exchange successfully, and 
> redirect?  
> > Or does it fail the exchange and redirect?
> > 
> > I think the obvious answer is to fail the exchange and redirect.  I 
> > think we should mandate that even with EAP failure, the 
> client should 
> > honor the REDIRECT.
> > 
> > If the gateway authentication fails (the AUTH payload in the first 
> > IKE_AUTH response fails to authenticate) then I'm not sure what the 
> > right action is.  REDIRECT is accepted in an 
> unauthenticated INITIAL exchange.
> > Why not, then, in a failed authentication IKE_AUTH exchange?
> > 
> [YS] No, failing authentication is different from being 
> unauthenticated. The client may have a policy that says that 
> it's willing to be redirected at IKE_SA_INIT. But if it 
> receives an AUTH value that is explicitly untrusted (say, 
> with a revoked certificate), I think it should not act on it. 
> Even though a malicious gateway could have responded in the 
> first exchange etc.
> etc.
> 
> Also note that it may be hard to untangle client 
> authentication from gateway authentication, e.g. when using 
> symmetric password authentication such as <self plug> EAP-EKE 
> </self plug>.

Email secured by Check Point
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to