Hi Yoav, Thanks for the quick response. Please see inline.
-----Original Message----- From: Yoav Nir [mailto:y...@checkpoint.com] Sent: Wednesday, November 11, 2009 7:23 PM To: Srinivasu S R S Dhulipala (srinid) Cc: Amjad Inamdar (amjads); ipsec@ietf.org Subject: Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication On Nov 11, 2009, at 3:39 PM, Srinivasu S R S Dhulipala (srinid) wrote: > >> 2) If not same, what purpose should each of the above identities serve > > 1) mainly used as a hint for the gateway as to which AAA server to > choose > 2) It's the AAA server that may request the identity, and it's > internal to AAA. It doesn't play in IKE > > [SRINI] Does this imply that gateway SHOULD not send EAP identity > request to the client, > we see that one 3rd party IKEv2 client is sending IP address > as IDi, from which we can't > take any hints. Moreover, the same client is expecting an > EAP-ID request to be sent, > else EAP is failing. > I've started another thread about why did we demote "SHOULD" > to "should" if the gateway is > Not supposed to send EAP-identity request to the client. I > think we should promote it back. The gateway never sends any EAP identity requests at all. If such a request exists, it is sent by the AAA server. The gateway serves only as a pass-through. [SRINI] Text below from sec 3.16 of the bis hints that responder may send, but it says It should not. In RFC 4306, it was "SHOULD NOT", in the bis it is "should not". {{ Demoted the SHOULD NOT and SHOULD }} Note that since IKE passes an indication of initiator identity in message 3 of the protocol, the responder should not send EAP Identity requests. The initiator may, however, respond to such requests if it receives them. Thanks, Srinivas For that reason, there is typically no reason for the gateway to inspect the contents of the EAP payload. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
