Hi,
- Original Message -
From: Yoav Nir y...@checkpoint.com
To: Qin Wu sunse...@huawei.com
Cc: ipsec@ietf.org; Dan Harkins dhark...@lounge.org; ho...@ietf.org
Sent: Wednesday, May 11, 2011 10:19 PM
Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00
On May 7, 2011, at 3:42 AM, Qin
On May 5, 2011, at 11:41 PM, Yaron Sheffer wrote:
Hi,
I think we are going down a rathole on the issue of authenticated identity.
Most IKE gateways, like many other security devices, normally make policy
decisions based on groups. I will provide secure connectivity to
It seems to me RFC 4306/5996 took the concept a bit further than RFC 4301
ever intended (in fact I believe the text is new to RFC 5996). Presumably, when
we talk about identity-based policy decisions, we refer to
http://tools.ietf.org/html/rfc4301#section-4.4.3. This text (and the
Hello,
On Wed, May 4, 2011 10:45 pm, Yoav Nir wrote:
On May 4, 2011, at 11:45 PM, Dan Harkins wrote:
RFC 5996 says in section 2.16:
When the initiator authentication uses EAP, it is possible that the
contents of the IDi payload is used only for Authentication,
Authorization, and
On May 5, 2011, at 9:17 AM, Dan Harkins wrote:
Hello,
On Wed, May 4, 2011 10:45 pm, Yoav Nir wrote:
OK. I see what you mean. Certificates are not necessarily better. She
might have a certificate with a subject like
UID=alice,OU=people,O=intranet,DC=example,DC=com, or the AAA
Hi,
I think we are going down a rathole on the issue of "authenticated
identity". Most IKE gateways, like many other security devices,
normally make policy decisions based on groups. I will provide
secure connectivity to anyb...@this-isp.com, but not to
Hi,
- Original Message -
From: Yoav Nir y...@checkpoint.com
To: Qin Wu sunse...@huawei.com
Cc: ipsec@ietf.org
Sent: Wednesday, May 04, 2011 1:30 PM
Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00
On May 4, 2011, at 4:50 AM, Qin Wu wrote:
- I am missing the authenticated
On May 4, 2011, at 9:18 AM, Qin Wu wrote:
Hi,
- Original Message -
From: Yoav Nir y...@checkpoint.com
To: Qin Wu sunse...@huawei.com
Cc: ipsec@ietf.org
Sent: Wednesday, May 04, 2011 1:30 PM
Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00
On May 4, 2011, at 4:50 AM
Hi,
- Original Message -
From: Yoav Nir y...@checkpoint.com
To: Qin Wu sunse...@huawei.com
Cc: ipsec@ietf.org; ho...@ietf.org
Sent: Wednesday, May 04, 2011 3:00 PM
Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00
On May 4, 2011, at 9:18 AM, Qin Wu wrote:
Hi,
- Original
On Tue, May 3, 2011 10:30 pm, Yoav Nir wrote:
[snip]
The Authenticator needs the true identity to make policy decisions.
Well then DO NOT use EAP for authentication.
Dan.
___
IPsec mailing list
IPsec@ietf.org
Hi Dan,
On May 4, 2011, at 9:47 PM, Dan Harkins wrote:
On Tue, May 3, 2011 10:30 pm, Yoav Nir wrote:
[snip]
The Authenticator needs the true identity to make policy decisions.
Well then DO NOT use EAP for authentication.
Dan.
I'm sure I don't understand your point. The IKE
On Wed, May 4, 2011 12:11 pm, Yoav Nir wrote:
Hi Dan,
On May 4, 2011, at 9:47 PM, Dan Harkins wrote:
On Tue, May 3, 2011 10:30 pm, Yoav Nir wrote:
[snip]
The Authenticator needs the true identity to make policy decisions.
Well then DO NOT use EAP for authentication.
Dan.
I'm sure
On May 2, 2011, at 11:54 PM, Yaron Sheffer wrote:
[Responding to IPsec only:]
Hi Yoav,
thanks for the new draft. I'm afraid one needs to read RFC5296bis before
commenting, but here's a few questions anyway:
- Sending the domain in the IKE_SA_INIT response obviously contradicts
the
- I am missing the authenticated peer identity, which I would assume
should arrive from the AAA server. This should be the basis of RFC4301
policy decisions on the IKE gateway. Does ERP provide this identity?
The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent
On May 4, 2011, at 4:50 AM, Qin Wu wrote:
- I am missing the authenticated peer identity, which I would assume
should arrive from the AAA server. This should be the basis of RFC4301
policy decisions on the IKE gateway. Does ERP provide this identity?
The EAP-Initiate/Re-auth packet
Hi.
Qin and I have just posted the subject draft. The title is An IKEv2 Extension
for Supporting ERP, although it has nothing to do with enterprise resource
planning.
This draft brings the ERP extension for EAP, which is developed by the Hokey
group into the IKEv2 authentication exchange,
16 matches
Mail list logo
