On Oct 7, 2012, at 10:11 PM, Jim Schaad wrote: > > >> -----Original Message----- >> From: Hao Zhou (hzhou) [mailto:hz...@cisco.com] >> Sent: Thursday, October 04, 2012 3:06 PM >> To: Jim Schaad; emu@ietf.org; draft-ietf-emu-eap-tunnel- >> met...@tools.ietf.org >> Subject: Re: [Emu] More COmments 2 on eap-tunnel-method >> >> Jim: >> >> Please see comments below. >> >> On 10/1/12 1:10 PM, "Jim Schaad" <i...@augustcellars.com> wrote: >> >>> I found two that I forgot to include in the last message >>> >>> 1. When exporting the user-id, does there need to be a way to >>> distinguish at export time between the different types of ids that are >>> authenticated by the server? This does not seem to be an issue on the >>> peer as it will only do mutual authentication to servers and thus only >>> have server ids, however a server may authenticate to different types >>> of identities on the peer. At the moment we have identified user and >>> machines as types of entities to be identified, I suppose in the future >>> we could add Ewoks as a different type of entity that could be >>> identified. However the export function of user-ids does not make a >>> distinction between the different types of authenticated entities. >>> Should it do so or should it just export user authentications? >> [HZ] It helps to export the identities as well as the corresponding > identity >> types (from the Identity Type TLV). Will add text. >>> >>> 2. Is there a map of TLVs that should not be sent together or need to >>> be processed in a specific order? The case I was looking at was for >>> the Identity TLV and the EAP TLV. Is there a difference in how a peer >>> should react for the following? >>> >>> Identity TLV (Send me a machine Identity), EAP TLV (Start the EAP >>> type >>> XX) >>> EAP TLV (Start EAP type XXX), Identity TLV (Send me a machine >>> Identity) >>> >>> Or should these two TLVs never occur in a single message? >> [HZ] We had some discussion in WG and take the design principal of TLV >> ordering should not matter. We disallow simultaneous EAP inner methods >> and/or with Basic Password Authentication, so rest of the TLVs order > should >> not matter. If it does matter, it should be a nested TLV, as in Result TLV > and >> Request-Action TLV. Need to add text to disallow Inner EAP method with >> parallel Basic Password Authentication TLV. > > [JLS] If order of TLVs does not matter, then there is an implied order that > the TLVs should be processed. That is one should always process the > Identity TLV before processing the EAP TLV as the identity TLV is a hint to > the type of identity that is to be used in the EAP method. Conversely it > might be that these two TLVs should never occur in the same message. > > Ditto with the Basic Password Authentication TLV and the Identity TLV. >
[Joe] That makes sense. An implementation should check for an identity TLV to provide a hint when determining what identity to use for and EAP or password authentication. > Jim > >>> >>> Jim >>> >>> >>> _______________________________________________ >>> Emu mailing list >>> Emu@ietf.org >>> https://www.ietf.org/mailman/listinfo/emu > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
