On Aug 6, 2011, at 10:37 PM, Yoav Nir wrote: > Hi > > At the meeting in Quebec, I gave a presentation at the hokey meeting about > http://tools.ietf.org/html/draft-nir-ipsecme-erx . > > The draft covers using the EAP extensions for re-authentication in IKEv2. The > obvious (to me) use-case is a phone connected to a 802.1x network. As you > leave the building, the same phone automatically using IKEv2 over a 3G > network without the user authenticating, by using the handed-over keys from > 802.1x. > > ERP (RFC 5296) works in two cases: > 1. when the new AAA backend and the old AAA backend are the same, and > 2. when they are different - you connect to a local EAP server > > There is an open question here. Obviously, when you use EAP for 802.1x or PPP > or some other network access, you often connect to a local Authenticator that > is not the same as your "home network". But is this relevant in IKEv2? IKEv2 > is used over the Internet. Why would you ever want to connect to a server > other than your home (or a server that relies on the same AAA backend) > > In other words: is there a use-case for connecting to a local rather than a > home server in IKE, a use-case that uses EAP. > > My feeling is that the answer is no, and there were some phone operators in > the room who agreed with me. Someone did bring up the case of host-to-host > IPsec, but I don't think that ever uses EAP. > > Does anybody have different thoughts about this?
(crickets) As there were no replies to this email, and as there was pretty much an uncalled consensus at the HOKEY meeting, I have submitted version -02 of the draft with an extra paragraph in section 3.2 to explain that "roaming to a different EAP server" scenario is probably not relevant. http://www.ietf.org/internet-drafts/draft-nir-ipsecme-erx-02 I would be happy for this to become a working group item, but if not, I would like to take it to our ADs (not sure which one, as this involves both IPsecME and HOKEY). I would also appreciate any suggestions for the Security Considerations section, other than just moving the rest of section 3.2 into it. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec