Re: [Ipsec] Reauthentication in IKEv2

[Yoav Nir <ynir at checkpoint.com>]

And yet, even in IKEv2 when lifetimes are appropriate they are used.

Take the Cfg payload.  Since the back-end server is usually a DHCP 
server, we want to make the client request an extension to the 
INTERNAL_IPx_ADDRESS.  That is why there is an attribute called 
INTERNAL_ADDRESS_EXPIRY.

To quote from the draft, "INTERNAL_ADDRESS_EXPIRY - Specifies the 
number of seconds that the host can use the internal IP address.  The 
host MUST renew the IP address before this expiry time."  So IKEv2 is 
not averse to forcing hosts to keep timers when there is good reason.

Although being able to re-authenticate at an arbitrary time is nice 
flexibility, this is an attribute that involves human interaction, so 
the key consideration is not flexibility for the RA gateway, but 
predictability for the user.  Users hate pop-up demands for 
authentication.  That is why almost no websites use http 
authentication, but rather have an elaborate login screen.  Users would 
much rather have a countdown timer telling them how long they have 
before they need to type in their credentials again.  As others have 
mentioned, there is also the issue of going to lunch and leaving the 
long ftp going, as well as other protocols that require long TCP 
connections such as telnets, X11 and remote desktops.

My proposal still allows you to demand authentication at an arbitrary 
time, but such a demand should not be "reauthenticate now!" but rather 
"reauthenticate within 3 minutes".  IMO demanding reauthentication 
means you do not trust your peer anymore, and if that's the case it is 
only correct to refuse traffic and send a delete.  If the notification 
says "reauthenticate now" the user has no way of knowing how long she 
has to enter her credentials.  At least the pop-up authentication 
window should have countdown.

I've noticed that's it's a very small group here that is talking about 
it.  Do you think this means that there is little interest in 
re-authentication?

Yoav

On Nov 2, 2004, at 8:59 PM, Geoffrey Huang wrote:

> I have to agree with Tero on this thread.  The idea of the 
> AUTH_LIFETIME notify strikes me as very similar to the negotiated 
> lifetimes of IKEv1.  I quite like the way lifetimes are done in IKEv2. 
>  Since it's a policy matter that each peer needs to enforce locally, I 
> don't see a reason why the lifetime ever needs to be communicated.
>
> Note that the idea of a REAUTH_NOW message also allows for signalling 
> a peer's desire to re-authenticate at an arbitrary time.  I like this 
> flexibility.
>
> -g


_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec