On Nov 12, 2009, at 5:34 AM, Raj Singh wrote:
> The selection of AAA server will be based on IDi then EAP will happen.
> The gateway will get EAP authenticated ID from the AAA server.
> If EAP identity is different from IDi and no policy is found for EAP identity.
> The gateway should initiate de
Hi Murthy,
As per the RFC, with EAP authentication, policy lookups and access
control decisions should be based on EAP identity, so the gatway needs
to know the EAP identity.
The source of EAP identity for gateway is either IDi (when IDi is same
as EAP identity) or AAA server providing authentica
Policy lookups are selected by Authenticator based on Authorization
information received from AAA server after successful Authentication.
The AAA sever uses an attribute(radius) to send a reference to the
Authorization information specific for the specific client.The
Authenticator need not know th
Amjad,
If the Authenticator includes the AAA server implementation,it should no
the EAP identity to enforce policies.If AAA server is separate,we can
add an attribute to AAA server for this purpose and in which case
Authenticator does not have to know the EAP identity.It will use the
attribute to
On Nov 11, 2009, at 3:56 PM, Stephen Kent wrote:
> Jack,
>
> I would have no problem deprecating AH in the context of the IPsec
> architecture document, if others agree. It is less efficient than ESP-NULL.
> However, other WGs have cited AH as the IPsec protocol of choice for
> integrity/aut
> > While the algorithms and DH groups are subject to configuration in the
UI
> > and negotiation in IKE, the algorithm used to sign the certificates is
> > outside the IKE implementation. You usually have a certificate that
you
> > need to use, and it's the CA's decision whether this is signed w
On 11 Nov 2009, at 14:53, Yoav Nir wrote:
>
> On Nov 11, 2009, at 3:39 PM, Srinivasu S R S Dhulipala (srinid) wrote:
>>
>>> 2) If not same, what purpose should each of the above identities serve
>>
>> 1) mainly used as a hint for the gateway as to which AAA server to
>> choose
>> 2) It's the
At 10:07 PM +0200 11/11/09, Yoav Nir wrote:
>If you're bissing this thing, can we please please please entirely get rid of
>the requirement to use ECDSA certificates?
There is no "we" here. It is not a WG item, it is an individual submission that
the authors chose to alert the WG about.
Having
Daniel,
> AH is a security feature we need to keep for header authentication
Am really not sure about the value that AH adds even in case of header
authentication.
So what fields does AH protect:
Version, Payload length, Next Header, Source IP and dest IP
The only field worth modifying is
I think this argument implicitly assumes unicast.
Rich Graveman
On Thu, Nov 12, 2009 at 8:18 PM, Bhatia, Manav (Manav)
wrote:
> Daniel,
>
>> AH is a security feature we need to keep for header authentication
>
> Am really not sure about the value that AH adds even in case of header
> authentica
At 6:48 AM +0530 11/13/09, Bhatia, Manav (Manav) wrote:
Daniel,
AH is a security feature we need to keep for header authentication
Am really not sure about the value that AH adds even in case of
header authentication.
So what fields does AH protect:
Version, Payload length, Next Header,
I agree with all of Paul's observations. The scope of this profile is
entirely appropriate.
Steve
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
> >
> >So what fields does AH protect:
> >
> >Version, Payload length, Next Header, Source IP and dest IP
>
> you forgot IPv4 and IPv6 options that have predictable values at the
> destination
Lets start with the IPv6 Type 0 Route Header (aka "Source Routing" in v4
parlance), which is a mutabl
Yup, that's correct I had not considered multicast.
SSM groups would use a 3-tuple SA identifier composed of an SPI, a dest mcast
address, and the source IP. An Any-Source Multicast group SA would only require
an SPI and a dest mcast identifier. If either of the IPs change, wouldn't the
SAD loo
My message pointed out that there was no mention of options, Your
reply picked a couple of option examples and argued that they were
either not used or did not pose a security problem.
The right way to generate a god answer is to construct a table of all
the options, and provide a rationale f
Hi Murthy,
IKEv2 gatway even when acting as a pass-through would need the
authenticated EAP identity for local policy decisions. For instance,
gateway can group remote users based on the authenticated EAP-id (e.g.
based on the domain/realm part of the ID). Further, with PSK and PKI
auth methods, i
16 matches
Mail list logo