Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-12 Thread Alper Yegin
> > I'm not aware, either. > > In other uses of AAA (such as with WiFi, WiMAX, 3GPP2, etc.) I know > that > > the > > subscriber ID is hidden from the NAS. There are even specific methods > > deployed for that purpose. So, disclosing that ID would not be > acceptable > > there. I'm just not sure if

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-10 Thread Dan Harkins
Hi Yoav, First of all, IDi is not sent in response to an EAP Identity Request. Every NAS will, when it comes time to initiate EAP authentication, request an identity. That's how EAP works. The IKEv2 responder "knows" to send an EAP Identity Request because the IKEv2 initiator has indicated it

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-10 Thread Yoav Nir
Hi. This is an interesting subject, and perhaps could be a good candidate for discussion at Anaheim. However, from the narrow perspective of a VPN vendor, I don't think this issue is very complicated: - In the first IKE_AUTH request the initiator provides *an* identity. This could be something

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-10 Thread Dan Harkins
Hi Raj, On Wed, February 10, 2010 2:30 am, Raj Singh wrote: > On Wed, Feb 10, 2010 at 3:44 PM, Alper Yegin > wrote: >> In other uses of AAA (such as with WiFi, WiMAX, 3GPP2, etc.) I know that >> the >> subscriber ID is hidden from the NAS. There are even specific methods >> deployed for that

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-10 Thread Dan Harkins
Hi Alper, On Wed, February 10, 2010 2:14 am, Alper Yegin wrote: > Dan, > >> Hi Alper, >> >> In that case there is no standard way for the AAA server to inform >> the >> IKEv2 responder of this "policy" that it needs to enforce. So that >> sounds >> unworkable. > > I guess it can be specifie

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-10 Thread Stephen Kent
At 12:14 PM +0200 2/10/10, Alper Yegin wrote: Dan, Hi Alper, In that case there is no standard way for the AAA server to inform the IKEv2 responder of this "policy" that it needs to enforce. So that sounds unworkable. I guess it can be specified. The IKEv2 responder already ha

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-10 Thread Raj Singh
> > > > > > regards, > > > > Dan. > > > > On Tue, February 9, 2010 2:53 am, Alper Yegin wrote: > > > Dan, > > > > > > I'm not aware of any such document. > > > > > > Alper > > > > > > &

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-10 Thread Alper Yegin
al Message- > >> From: Dan Harkins [mailto:dhark...@lounge.org] > >> Sent: Monday, February 08, 2010 8:13 PM > >> To: Alper Yegin > >> Cc: 'Yoav Nir'; 'Raj Singh'; 'Yaron Sheffer'; 'ipsec' > >> Subject: Re: [IPsec] Fwd:

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-09 Thread Dan Harkins
;m not aware of any such document. > > Alper > > >> -Original Message- >> From: Dan Harkins [mailto:dhark...@lounge.org] >> Sent: Monday, February 08, 2010 8:13 PM >> To: Alper Yegin >> Cc: 'Yoav Nir'; 'Raj Singh'; 'Yaron Sheffer'; 

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-09 Thread Alper Yegin
; policy is determined by and communicated to the responder by the AAA > > server. > > > > Alper > > > > > > > > > > > > > >> -Original Message- > >> From: Yoav Nir [mailto:y...@checkpoint.com] > >> Sent: Thurs

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-08 Thread Stephen Kent
At 11:41 AM +0200 2/8/10, Alper Yegin wrote: Yoav, When the IKEv2 responder offloads the Authentication, Authorization, and Accounting (AAA) responsibilities to a centralized AAA server, it is no longer in the business of figuring out who the peer is, if the peer is really who it claims it is, w

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-08 Thread Dan Harkins
ilto:y...@checkpoint.com] >> Sent: Thursday, February 04, 2010 3:45 PM >> To: 'Alper Yegin'; 'Raj Singh'; Yaron Sheffer >> Cc: 'ipsec' >> Subject: RE: [IPsec] Fwd: Issue : Regarding EAP identity >> >> The IKEv2 responder enforces pol

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-08 Thread Alper Yegin
av Nir [mailto:y...@checkpoint.com] > Sent: Thursday, February 04, 2010 3:45 PM > To: 'Alper Yegin'; 'Raj Singh'; Yaron Sheffer > Cc: 'ipsec' > Subject: RE: [IPsec] Fwd: Issue : Regarding EAP identity > > The IKEv2 responder enforces policy, so it has to k

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-04 Thread Raj Singh
IKEv2 responder need to know the real identity? > >> There can be privacy reasons for hiding it from any entity other than > >> the > >> AAA/authentication server. > >> > >> I'm thinking that mandating AAA server to reveal that value is not > &

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-04 Thread Dan Harkins
>> Unless there is a single policy for all authenticated users, you do need >> the user identity. >> >> -----Original Message----- >> From: Alper Yegin [mailto:alper.ye...@yegin.org] >> Sent: Thursday, February 04, 2010 3:40 PM >> To: Yoav Nir; 'Raj Sin

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-04 Thread Raj Singh
> I'm thinking that mandating AAA server to reveal that value is not > necessary > and also problematic. > > Alper > > > > > > -Original Message- > > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf > > Of Yoav Nir >

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-04 Thread Yoav Nir
, you do need the user identity. -Original Message- From: Alper Yegin [mailto:alper.ye...@yegin.org] Sent: Thursday, February 04, 2010 3:40 PM To: Yoav Nir; 'Raj Singh'; Yaron Sheffer Cc: 'ipsec' Subject: RE: [IPsec] Fwd: Issue : Regarding EAP identity Hello, Why

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-04 Thread Alper Yegin
Original Message- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf > Of Yoav Nir > Sent: Wednesday, February 03, 2010 10:43 AM > To: 'Raj Singh'; Yaron Sheffer > Cc: ipsec > Subject: Re: [IPsec] Fwd: Issue : Regarding EAP identity > > Hi

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-03 Thread Yoav Nir
: [IPsec] Fwd: Issue : Regarding EAP identity Hi Yaron, The question is more towards when EAP identity is needed and is different from IDi. But AAA server doesn't send it, we will fail. But draft doesn't have any say for this scenario. So it becomes mandatory for AAA server to send identity

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-02 Thread Raj Singh
.@ietf.org] *On Behalf > Of *Raj Singh > *Sent:* Wednesday, February 03, 2010 7:45 > *To:* ipsec > *Subject:* [IPsec] Fwd: Issue : Regarding EAP identity > > > > Hi Paul, Ticket Issue#174 opened for it. Regards, Raj > > -- Forwarded message -- > From: *Paul

Re: [IPsec] Fwd: Issue : Regarding EAP identity

2010-02-02 Thread Yaron Sheffer
: Issue : Regarding EAP identity Hi Paul, Ticket Issue#174 opened for it. Regards, Raj -- Forwarded message -- From: Paul Hoffman mailto:paul.hoff...@vpnc.org>> Date: Wed, Feb 3, 2010 at 9:41 AM Subject: Re: Issue : Regarding EAP identity To: Raj Singh mailto:rsjen...@gmail.co

[IPsec] Fwd: Issue : Regarding EAP identity

2010-02-02 Thread Raj Singh
Hi Paul, Ticket Issue#174 opened for it. Regards, Raj -- Forwarded message -- From: Paul Hoffman Date: Wed, Feb 3, 2010 at 9:41 AM Subject: Re: Issue : Regarding EAP identity To: Raj Singh Cc: Yaron Sheffer At 9:09 AM +0530 2/3/10, Raj Singh wrote: Hi Paul, In ikev2bis07