RE: [Ipsec] Reauthentication in IKEv2

To: <kivinen at iki.fi>
Subject: RE: [Ipsec] Reauthentication in IKEv2
From: Pasi.Eronen at nokia.com
Date: Fri, 29 Oct 2004 15:28:25 +0300
Cc: ipsec at ietf.org, ynir at checkpoint.com
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces at ietf.org
Thread-index: AcS9lxNltSKpSK4hTJ2Ky83MmlJh/wADpImw
Thread-topic: [Ipsec] Reauthentication in IKEv2

Tero Kivinen wrote:
>
> I think it would be much more simplier to siply send one
> informational message from the gateway when he wants the
> client to redo authentication, and if client does not finish
> reauthentication within some server specified timeframe then
> server will disconnect the connection.

Yes, but the client has more knowledge about the situation...  
E.g., if I have a long download ongoing, and I'm leaving for 
lunch, I could check how much time is remaining before the 
next reauthentication (instead of always reauthenticating
"just in case", or hoping for the best).

And sending the lifetime means one message exchange less
in >99% of the cases, so it's IMHO the simpler of the two
alternatives (but I guess we disagree here :-).

> We do not have negotiated lifetimes in the IKEv2, so why add
> them now?  You could already use the AUTH_LIFETIME specified
> in the draft that way, but I think that the lifetime parameter
> simply adds complexity and should be left out. The server
> needs to still keep the timers and verify that the client has
> done the authentication on time, so for the server he could
> simply keep timer and send the REAUTH_NOW notification when
> reauthentication is required.

Normal rekeying can be initiated by either end, and does not
require user interaction, so the peers can have their own
policies without any need for negotiation. But IMHO here
making the gateway's policy visible to the client would
(in some circumstances) provide benefits to the end user.

> Now client also must keep the timer and start authentication
> before the given time. If server would simply send the
> REAUTHENTICATE_NOW notifies, then client does not keep the
> timers to do this.

Unless the client also has a policy about reauthenticating the
server; then both parties need timers.

<snip>
>
> At least I didn't see enough support for this, in the list, so
> this could really be a WG item. I think this should propably
> be postponed to the IKEv2 extensions WG (I assume someone will
> someday create one), just like the
> draft-eronen-ipsec-ikev2-eap-auth-02.txt...

Are you against publishing them as individual submissions?

(Taking into account that it looks like several vendors will 
ship something like this in 2005, so the alternative is 
vendor-specific extensions.)

Best regards,
Pasi

_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- RE: [Ipsec] Reauthentication in IKEv2
  - From: Tero Kivinen

Prev by Date: [Ipsec] Re: Thanks :)
Next by Date: Re: [Ipsec] AES Algorithm Negotiation in IKE
Previous by thread: RE: [Ipsec] Reauthentication in IKEv2
Next by thread: RE: [Ipsec] Reauthentication in IKEv2
Index(es):
- Date
- Thread

RE: [Ipsec] Reauthentication in IKEv2

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.