RE: [Ipsec] Reauthentication in IKEv2

To: <Pasi.Eronen at nokia.com>
Subject: RE: [Ipsec] Reauthentication in IKEv2
From: Tero Kivinen <kivinen at iki.fi>
Date: Mon, 1 Nov 2004 10:48:37 +0200
Cc: ipsec at ietf.org, ynir at checkpoint.com
In-reply-to: <125EA890549C8641A72F3809CB80DCCD17839D@esebe056.ntc.nokia.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <125EA890549C8641A72F3809CB80DCCD17839D@esebe056.ntc.nokia.com>
Sender: ipsec-bounces at ietf.org

Pasi.Eronen at nokia.com writes:
> Yes, but the client has more knowledge about the situation...  
> E.g., if I have a long download ongoing, and I'm leaving for 
> lunch, I could check how much time is remaining before the 
> next reauthentication (instead of always reauthenticating
> "just in case", or hoping for the best).

So the client does not have any more information in this case, but the
user of the client does. The user in the client end can do much more
intelligent things regardless of the lifetimes sent in the protocol.

> And sending the lifetime means one message exchange less
> in >99% of the cases, so it's IMHO the simpler of the two
> alternatives (but I guess we disagree here :-).

Note, that in the proposal the lifetime is sent AS A SEPARATE
informational exchange, so the number of packets and exchanges stays
same. Only difference is that if the lifetime parameter is there, then
BOTH client and server will need to keep track of it. If it is not
there, then only the AAA server need to keep track of it, and it can
inform the server that now it is time to do reauthentication, and the
server will then inform client etc.  

> policies without any need for negotiation. But IMHO here
> making the gateway's policy visible to the client would
> (in some circumstances) provide benefits to the end user.

Some people do consider giving out the lifetime also gives out too
much information, i.e. the attacker knows that he has this much time
before the vpn connection to the corporate hq is cut out from the
laptop he stole. 

> > At least I didn't see enough support for this, in the list, so
> > this could really be a WG item. I think this should propably
> > be postponed to the IKEv2 extensions WG (I assume someone will
> > someday create one), just like the
> > draft-eronen-ipsec-ikev2-eap-auth-02.txt...
> 
> Are you against publishing them as individual submissions?

No, but I would think it would be better to start WG to take care of
them. There is people who are interested in them, and as the IPsec WG
is going to be shutdown, we need some place to discuss and process
them. 
-- 
kivinen at safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Yoav Nir

References:
- RE: [Ipsec] Reauthentication in IKEv2
  - From: Pasi . Eronen

Prev by Date: RE: [Ipsec] Issues regarding Traffic Selectors
Next by Date: Re: [Ipsec] AES Algorithm Negotiation in IKE
Previous by thread: RE: [Ipsec] Reauthentication in IKEv2
Next by thread: Re: [Ipsec] Reauthentication in IKEv2
Index(es):
- Date
- Thread

RE: [Ipsec] Reauthentication in IKEv2

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.