Re: [Emu] Question on EAP-IKEv2

To: "Hannes Tschofenig" <Hannes.Tschofenig at gmx.net>, "Ali Fessi" <ali.fessi at uni-tuebingen.de>
Subject: Re: [Emu] Question on EAP-IKEv2
From: "Gene Chang (genchang)" <genchang at cisco.com>
Date: Mon, 5 May 2008 08:55:17 -0400
Authentication-results: rtp-dkim-2; header.From=genchang at cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: emu at ietf.org
Delivered-to: ietfarch-emu-web-archive at core3.amsl.com
Delivered-to: emu at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1619; t=1209992119; x=1210856119; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=genchang at cisco.com; z=From:=20=22Gene=20Chang=20(genchang)=22=20<genchang at cisco. com> |Subject:=20RE=3A=20[Emu]=20Question=20on=20EAP-IKEv2 |Sender:=20 |To:=20=22Hannes=20Tschofenig=22=20<Hannes.Tschofenig at gmx.n et>,=0A=20=20=20=20=20=20=20=20=22Ali=20Fessi=22=20<ali.fess i at uni-tuebingen.de>; bh=RVvwhUXezTLvMhdWluukcGUdjmcWrjLhPQRA268Swr8=; b=wlKuGEvTmF8dWfRd7E4LZD5clTdc8qGRmFfnb6tP9IOraYxeQr9+ExWNkl GuarnjXab4Qk/UdyGTjh3sHWpdZSBZ3khLfp1lEh+Oyt7ky7R/hyx4iyl7+7 O9t4ubX0D+;
In-reply-to: <481DDC8D.1050809@gmx.net>
List-archive: <http://www.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
References: <47FD1B3F.2050401@uni-tuebingen.de> <481DDC8D.1050809@gmx.net>
Sender: emu-bounces at ietf.org
Thread-index: Acit/19jBtoU1SRkSTqj8ZBb66e5nQAr4AIg
Thread-topic: [Emu] Question on EAP-IKEv2

Hannes,
It was my understanding that authenticating the server first is an
essential behavior to prevent disclosing the user identity to an
imposter. This behavior is also part of EAP-FAST and EAP-TTLS.

Gene

------------------------------------------------------------------------
----
Eugene Chang (genchang)
Cisco Systems
Office:   603-559-2978
Mobile:  781-799-0233
Skype:  gene02421
 
 
 

> -----Original Message-----
> From: emu-bounces at ietf.org [mailto:emu-bounces at ietf.org] On Behalf Of
> Hannes Tschofenig
> Sent: Sunday, May 04, 2008 11:56 AM
> To: Ali Fessi
> Cc: emu at ietf.org
> Subject: Re: [Emu] Question on EAP-IKEv2
> 
> That's one reason.
> 
> The other one is to be able to have a strong password based mechanism.
> When you reverse the roles of client and server then you allow the
> server to be authenticated first before you present your "password".
> 
> Finally, reversing the roles allows you to offer active user identity
> confidentiality.
> 
> Ciao
> Hannes
> 
> 
> 
> Ali Fessi wrote:
> > Hi,
> >
> > I wonder why the IKEv2 exchange in EAP-IKEv2 is initiated by the
server.
> >
> > (See, RFC 5106, Page 7, Figure 1, message 3)
> >
> > Is the reason to save two messages, for example, compared to
EAP-TLS?
> >
> > Best,
> >   Ali
> >
> > _______________________________________________
> > Emu mailing list
> > Emu at ietf.org
> > https://www.ietf.org/mailman/listinfo/emu
> >
> 
> _______________________________________________
> Emu mailing list
> Emu at ietf.org
> https://www.ietf.org/mailman/listinfo/emu
_______________________________________________
Emu mailing list
Emu at ietf.org
https://www.ietf.org/mailman/listinfo/emu

References:
- [Emu] Question on EAP-IKEv2
  - From: Ali Fessi
- Re: [Emu] Question on EAP-IKEv2
  - From: Hannes Tschofenig

Prev by Date: Re: [Emu] Question on EAP-IKEv2
Next by Date: [Emu] NIST Draft SP 800-108 for public comments
Previous by thread: Re: [Emu] Question on EAP-IKEv2
Next by thread: bombardon
Index(es):
- Date
- Thread

Re: [Emu] Question on EAP-IKEv2

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.