Hi Paul,
One clear change is that updating the address, port info is changed from
authenticated packet
to integrity protected packet.
Does this change is to allow recovery from NAT mapping removal during
establishment of IKEv2 SA
e.g. with EAP authentication, during retransmission of IKE_AUTH exch
The last bullet in 2.23 is confusing. A proposed rewrite is:
Old:
There are cases where a NAT box decides to remove mappings that are
still alive (for example, the keepalive interval is too long, or the
NAT box is rebooted). To recover in these cases, hosts that do not
support other methods of r
Hi Dan,
On Fri, Feb 5, 2010 at 2:47 AM, Dan Harkins wrote:
>
> Hi Raj,
>
> RFC 3748 (the RFC defining EAP) says:
>
> The Identity Response may not be the appropriate
> identity for the method; it may have been truncated or obfuscated
> so as to provide privacy, or it may have b
I'm considering implementing LZF as an IPcomp transform. LZF is a small
(core transform is about 1K), very fast, patent-free LZ family compressor.
(http://oldhome.schmorp.de/marc/liblzf.html)
It compresses about 2X-4X as fast as Deflate and uncompresses almost as
fast as memcpy() on many
Hi Raj,
RFC 3748 (the RFC defining EAP) says:
The Identity Response may not be the appropriate
identity for the method; it may have been truncated or obfuscated
so as to provide privacy, or it may have been decorated for
routing purposes.
In other words, the identity
Hi Yoav,
According to RFC-3579 [Appendix-A] RADIUS (Remote Authentication Dial In
User Service) Support For Extensible Authentication Protocol (EAP) shows
that NAS (IKEv2 Gateway) sends an EAP-Request/Identity as the initial packet
to IKEv2 initiator. Here IKEv2 will come to know EAP identity and
Paul Hoffman writes:
> >Probably s/informational/Informational ? I'm not sure because the
> >term "Informational Message" is never formally introduced in the document
> >apart from this section...
>
> Actually, it is introduced in 1.4: "Note that some informational messages, not
> exchanges, can b
At 9:48 AM +0300 2/4/10, Valery Smyslov wrote:
>These two paragraphs are left from previous version and
>should be removed (now all they are talking about is explained
>in more details below).
There were bits in those two paragraphs that were still new, but on further
looking, I see that those bi
The IKEv2 responder enforces policy, so it has to know the identity, both for
enforcement and auditing. Suppose y...@checkpoint.com is allowed to access
server X, while alper.ye...@yegin.org is not, then the IKEv2 responder needs to
both block your attempts to access server X (perhaps by failing
Hello,
Why would the IKEv2 responder need to know the real identity?
There can be privacy reasons for hiding it from any entity other than the
AAA/authentication server.
I'm thinking that mandating AAA server to reveal that value is not necessary
and also problematic.
Alper
> -Original M
10 matches
Mail list logo
