headers
Yoav Nir | 2 May 2011 13:31
Picon
Favicon

New I-D: draft-nir-ipsecme-erx-00

Hi.

Qin and I have just posted the subject draft.  The title is "An IKEv2 Extension for Supporting ERP", although
it has nothing to do with enterprise resource planning.

This draft brings the ERP extension for EAP, which is developed by the Hokey group into the IKEv2
authentication exchange, allowing a client ("peer" or "initiator") to authenticate to a VPN gateway
("Authenticator" or "responder") in only three round-trips, and without user intervention, provided
that this client has unexpired keys from a previous run of EAP. It doesn't matter whether the previous run
was done in the context of another IKE exchange, attachment to a 802.1x LAN or over PPP.

We would like this draft to be accepted as a working-group item in IPsecME, although serious review in hokey
will also be needed.

I'd like to use this one-time cross-posted mail message to explain some of the design decisions in this -00
version of the draft.

The EAP-Initiate/Re-auth-Start message is missing from the protocol. Instead, a notification payload
carries the domain name. This was done because an EAP payload in the IKE_SA_INIT response would be weird,
whereas unknown Notifications are common. We are not sure whether placing the domain name is necessary,
because in IKE, the client usually connects to a pre-configured gateway, rather than attaching to any
network available as in 802.1x.

We do not run two EAP protocols in parallel (re-auth and something else) as in RFC 5296 and the bis document,
because IKEv2 ususally doesn't have identity requests (they identity protocol is replaced by the user
identity in the IDi payload), and running a real EAP protocol would put us in a weird state with the backend
EAP server. Instead, we send the domain name in the notification payload, and the client may either send
the EAP-Initiate/Re-auth message or the IDi payload (but not both).

Alternatively we could have the client indicate support in the IKE_SA_INIT request, and then have a proper
(Continue reading)

Permalink | Reply | 18 comments |
headers
Yaron Sheffer | 2 May 2011 22:54
Picon

Re: New I-D: draft-nir-ipsecme-erx-00

[Responding to IPsec only:]

Hi Yoav,

thanks for the new draft. I'm afraid one needs to read RFC5296bis before 
commenting, but here's a few questions anyway:

- Sending the domain in the IKE_SA_INIT response obviously contradicts 
the usual IKEv2 identity protection. This is not really a question :-)
- I am missing the "authenticated peer identity", which I would assume 
should arrive from the AAA server. This should be the basis of RFC4301 
policy decisions on the IKE gateway. Does ERP provide this identity?
- Does this draft coexist with certificate-less mutual EAP 
authentication, as per RFC5998?

Thanks,
     Yaron

On 05/02/2011 02:31 PM, Yoav Nir wrote:
> Hi.
>
> Qin and I have just posted the subject draft.  The title is "An IKEv2 
> Extension for Supporting ERP", although it has nothing to do with 
> enterprise resource planning.
>
> This draft brings the ERP extension for EAP, which is developed by the 
> Hokey group into the IKEv2 authentication exchange, allowing a client 
> ("peer" or "initiator") to authenticate to a VPN gateway 
> ("Authenticator" or "responder") in only three round-trips, and 
> without user intervention, provided that this client has unexpired
(Continue reading)

Permalink | Reply | 17 comments |
headers
Yoav Nir | 3 May 2011 12:49
Picon
Favicon

Re: New I-D: draft-nir-ipsecme-erx-00


On May 2, 2011, at 11:54 PM, Yaron Sheffer wrote:

> [Responding to IPsec only:]
> 
> Hi Yoav,
> 
> thanks for the new draft. I'm afraid one needs to read RFC5296bis before 
> commenting, but here's a few questions anyway:
> 
> - Sending the domain in the IKE_SA_INIT response obviously contradicts 
> the usual IKEv2 identity protection. This is not really a question :-)

True, but identity protection for the responder never made sense for remote access gateways. I haven't
gone over the archives, but I remember that someone proposed having an extra EAP-Identity round so that
the server shows its certificate first. If we get feedback that this is a serious issue to some, we can
always add a round-trip.

> - I am missing the "authenticated peer identity", which I would assume 
> should arrive from the AAA server. This should be the basis of RFC4301 
> policy decisions on the IKE gateway. Does ERP provide this identity?

The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or "peer") to
the authentication server through the gateway. (section 5.3.2 of the bis document)
The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the authentication
server through the gateway to the client.
But these don't really help, because the username part of NAI is the 64-bit EMSKname, which is not directly
related to user name.
However, these messages come within an Access-Accept packet from the RADIUS server, and those include a
proper user name.
(Continue reading)

Permalink | Reply | 16 comments |
headers
Qin Wu | 4 May 2011 03:50
Favicon

Re: New I-D: draft-nir-ipsecme-erx-00

>> - I am missing the "authenticated peer identity", which I would assume 
>> should arrive from the AAA server. This should be the basis of RFC4301 
>> policy decisions on the IKE gateway. Does ERP provide this identity?
> 
> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or "peer")
to the authentication server through the gateway. (section 5.3.2 of the bis document)
> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the authentication
server through the gateway to the client.
> But these don't really help, because the username part of NAI is the 64-bit EMSKname, which is not directly
related to user name.
> However, these messages come within an Access-Accept packet from the RADIUS server, and those include a
proper user name.

[Qin]: If you are talking about the second identity specified in section 6.4 of RFC5998, I think, unlike
EAP, ERP does not provide such identity.
ERP only define two types: one is Re-auth-Start, the other is Re-Auth.

KeyName-NAI TLV defined in RFC5296 and RFC5296bis more looks like the first idenity described in section
6.4 of RFC5998.
As decribed in section 5.1 of RFC5296,
"
     When an ERP-capable authenticator receives the EAP-Initiate/
      Re-auth message from a peer, it copies the contents of the
                                                       ^^^^^^^^^^^^^^^^^^^^
      keyName-NAI into the User-Name attribute of RADIUS [13]. 
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"

> 
>> - Does this draft coexist with certificate-less mutual EAP
(Continue reading)

Permalink | Reply | 15 comments |
headers
Yoav Nir | 4 May 2011 07:30
Picon
Favicon

Re: New I-D: draft-nir-ipsecme-erx-00


On May 4, 2011, at 4:50 AM, Qin Wu wrote:

>>> - I am missing the "authenticated peer identity", which I would assume 
>>> should arrive from the AAA server. This should be the basis of RFC4301 
>>> policy decisions on the IKE gateway. Does ERP provide this identity?
>> 
>> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or "peer")
to the authentication server through the gateway. (section 5.3.2 of the bis document)
>> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the authentication
server through the gateway to the client.
>> But these don't really help, because the username part of NAI is the 64-bit EMSKname, which is not
directly related to user name.
>> However, these messages come within an Access-Accept packet from the RADIUS server, and those include a
proper user name.
> 
> [Qin]: If you are talking about the second identity specified in section 6.4 of RFC5998, I think, unlike
EAP, ERP does not provide such identity.
> ERP only define two types: one is Re-auth-Start, the other is Re-Auth.
> 
> KeyName-NAI TLV defined in RFC5296 and RFC5296bis more looks like the first idenity described in section
6.4 of RFC5998.
> As decribed in section 5.1 of RFC5296,
> "
>     When an ERP-capable authenticator receives the EAP-Initiate/
>      Re-auth message from a peer, it copies the contents of the
>                                                       ^^^^^^^^^^^^^^^^^^^^
>      keyName-NAI into the User-Name attribute of RADIUS [13]. 
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "
(Continue reading)

Permalink | Reply | 14 comments |
headers
Qin Wu | 4 May 2011 08:18
Favicon

Re: New I-D: draft-nir-ipsecme-erx-00

Hi,
----- Original Message ----- 
From: "Yoav Nir" <ynir <at> checkpoint.com>
To: "Qin Wu" <sunseawq <at> huawei.com>
Cc: <ipsec <at> ietf.org>
Sent: Wednesday, May 04, 2011 1:30 PM
Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

> 
> On May 4, 2011, at 4:50 AM, Qin Wu wrote:
> 
>>>> - I am missing the "authenticated peer identity", which I would assume 
>>>> should arrive from the AAA server. This should be the basis of RFC4301 
>>>> policy decisions on the IKE gateway. Does ERP provide this identity?
>>> 
>>> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or
"peer") to the authentication server through the gateway. (section 5.3.2 of the bis document)
>>> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the
authentication server through the gateway to the client.
>>> But these don't really help, because the username part of NAI is the 64-bit EMSKname, which is not
directly related to user name.
>>> However, these messages come within an Access-Accept packet from the RADIUS server, and those include
a proper user name.
>> 
>> [Qin]: If you are talking about the second identity specified in section 6.4 of RFC5998, I think, unlike
EAP, ERP does not provide such identity.
>> ERP only define two types: one is Re-auth-Start, the other is Re-Auth.
>> 
>> KeyName-NAI TLV defined in RFC5296 and RFC5296bis more looks like the first idenity described in
section 6.4 of RFC5998.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Yoav Nir | 4 May 2011 09:00
Picon
Favicon

Re: New I-D: draft-nir-ipsecme-erx-00


On May 4, 2011, at 9:18 AM, Qin Wu wrote:

> Hi,
> ----- Original Message ----- 
> From: "Yoav Nir" <ynir <at> checkpoint.com>
> To: "Qin Wu" <sunseawq <at> huawei.com>
> Cc: <ipsec <at> ietf.org>
> Sent: Wednesday, May 04, 2011 1:30 PM
> Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00
> 
> 
>> 
>> On May 4, 2011, at 4:50 AM, Qin Wu wrote:
>> 
>>>>> - I am missing the "authenticated peer identity", which I would assume 
>>>>> should arrive from the AAA server. This should be the basis of RFC4301 
>>>>> policy decisions on the IKE gateway. Does ERP provide this identity?
>>>> 
>>>> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or
"peer") to the authentication server through the gateway. (section 5.3.2 of the bis document)
>>>> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the
authentication server through the gateway to the client.
>>>> But these don't really help, because the username part of NAI is the 64-bit EMSKname, which is not
directly related to user name.
>>>> However, these messages come within an Access-Accept packet from the RADIUS server, and those
include a proper user name.
>>> 
>>> [Qin]: If you are talking about the second identity specified in section 6.4 of RFC5998, I think, unlike
EAP, ERP does not provide such identity.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Qin Wu | 4 May 2011 09:27
Favicon

Re: New I-D: draft-nir-ipsecme-erx-00

Hi,
----- Original Message ----- 
From: "Yoav Nir" <ynir <at> checkpoint.com>
To: "Qin Wu" <sunseawq <at> huawei.com>
Cc: <ipsec <at> ietf.org>; <hokey <at> ietf.org>
Sent: Wednesday, May 04, 2011 3:00 PM
Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00

> 
> On May 4, 2011, at 9:18 AM, Qin Wu wrote:
> 
>> Hi,
>> ----- Original Message ----- 
>> From: "Yoav Nir" <ynir <at> checkpoint.com>
>> To: "Qin Wu" <sunseawq <at> huawei.com>
>> Cc: <ipsec <at> ietf.org>
>> Sent: Wednesday, May 04, 2011 1:30 PM
>> Subject: Re: [IPsec] New I-D: draft-nir-ipsecme-erx-00
>> 
>> 
>>> 
>>> On May 4, 2011, at 4:50 AM, Qin Wu wrote:
>>> 
>>>>>> - I am missing the "authenticated peer identity", which I would assume 
>>>>>> should arrive from the AAA server. This should be the basis of RFC4301 
>>>>>> policy decisions on the IKE gateway. Does ERP provide this identity?
>>>>> 
>>>>> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent from the client (or
"peer") to the authentication server through the gateway. (section 5.3.2 of the bis document)
>>>>> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is sent from the
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dan Harkins | 4 May 2011 20:47

Re: New I-D: draft-nir-ipsecme-erx-00


On Tue, May 3, 2011 10:30 pm, Yoav Nir wrote:
[snip]
> The Authenticator needs the true identity to make policy decisions.

  Well then DO NOT use EAP for authentication.

  Dan.
Permalink | Reply | 10 comments |
headers
Yoav Nir | 4 May 2011 21:11
Picon
Favicon

Re: New I-D: draft-nir-ipsecme-erx-00

Hi Dan,

On May 4, 2011, at 9:47 PM, Dan Harkins wrote:

> 
> On Tue, May 3, 2011 10:30 pm, Yoav Nir wrote:
> [snip]
>> The Authenticator needs the true identity to make policy decisions.
> 
>  Well then DO NOT use EAP for authentication.
> 
>  Dan.

I'm sure I don't understand your point. The IKE responder does not need to know whether the user's true
identity in the sense of whether she is a cat person or a dog person. "alice <at> example.com" is good enough for
policy lookups and policy decisions, as well as for generating meaningful logs.
"1542a0f74aef5011 <at> example.com", where the part before the at-sign is a hex representation of an
ephemeral key is not.
Permalink | Reply | 9 comments |

Gmane