Hi Raj, On Wed, February 10, 2010 2:30 am, Raj Singh wrote: > On Wed, Feb 10, 2010 at 3:44 PM, Alper Yegin <alper.ye...@yegin.org> > wrote: <snip> >> In other uses of AAA (such as with WiFi, WiMAX, 3GPP2, etc.) I know that >> the >> subscriber ID is hidden from the NAS. There are even specific methods >> deployed for that purpose. So, disclosing that ID would not be >> acceptable >> there. I'm just not sure if the same privacy concerns apply to the VPN >> deployments. >> >> I am not able to see these privacy concerns in VPN deployments using >> IKEv2. > As EAP packets are inside IKEv2 packet which is encrypted. > IKEv2 Responder asking the EAP identity before EAP authentication and > IKEv2 > initiator > can give provide the EAP identity which its going to use.
It can. And it does. But that identity is not used for authentication purposes because "it may have been truncated or obfuscated so as to provide privacy, or it may have been decorated for routing purposes" (see RFC 3748-- the Extensible Authentication Protocol). So depending on how the client "decorates" the identity he provides to the IKEv2 responder's EAP identity request, the AAA server may forward it off to some other AAA server to do "real" authentication and that server may process it or may forward it off. And so on. And the client can provide anything as IDi. And there lies the problem. regards, Dan. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
