Re: [Ipsec] Reauthentication in IKEv2

To: Bill Sommerfeld <sommerfeld at sun.com>
Subject: Re: [Ipsec] Reauthentication in IKEv2
From: Yoav Nir <ynir at checkpoint.com>
Date: Thu, 11 Nov 2004 12:05:53 +0200
Cc: ipsec at ietf.org, Pasi.Eronen at nokia.com, Tero Kivinen <kivinen at iki.fi>, Geoffrey Huang <ghuang at cisco.com>
In-reply-to: <1100138338.1021.5.camel@unknown.hamachi.org>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <125EA890549C8641A72F3809CB80DCCD17839D@esebe056.ntc.nokia.com> <16773.63589.716356.612414@fireball.kivinen.iki.fi> <DD131697-2BED-11D9-B089-000A95834BAA@checkpoint.com> <4187D91E.2090703@cisco.com> <C922EAD9-315E-11D9-B3C7-000A95834BAA@checkpoint.com> <4192C00B.2010802@cisco.com> <1100138338.1021.5.camel@unknown.hamachi.org>
Sender: ipsec-bounces at ietf.org

A zero value would mean "reauthenticate now", but usually in such a case the gateway is not going to follow this notification with a delete immediately.

I would much rather have the gateway sending "reauth within 5 minutes"

On Nov 11, 2004, at 3:58 AM, Bill Sommerfeld wrote:

On Wed, 2004-11-10 at 20:27, Geoffrey Huang wrote:
I can see arguments from both sides, I guess.  Even with your re-auth
scheme, a value of "0" seconds could mean "do it now," right?
I'd think so; I'd also hope that the encoding should also allow for
"reauth in 8 hours" notifications as well.
As was pointed out in the secsh working group yesterday for a related user-authentication timeout, there are also accessibility concerns here; some people enter text *very* slowly; 3 minutes may not be sufficient for some.

That is the reason why the gateway should send it together with the last packet of the IKE_AUTH exchange. It might, for example, be a good idea for the client software to pop up an authentication dialog 3 minutes before the authentication timeout elapses, but do it 3 extra minutes earlier if accessibility options are turned on. It's definitely a client-side decision.


_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- RE: [Ipsec] Reauthentication in IKEv2
  - From: Pasi . Eronen
- RE: [Ipsec] Reauthentication in IKEv2
  - From: Tero Kivinen
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Yoav Nir
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Geoffrey Huang
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Yoav Nir
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Geoffrey Huang
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Bill Sommerfeld

Prev by Date: RE: [Ipsec] Query for IPv6 ICV
Next by Date: RE: [Ipsec] Query for IPv6 ICV
Previous by thread: Re: [Ipsec] Reauthentication in IKEv2
Next by thread: Re: [Ipsec] Reauthentication in IKEv2
Index(es):
- Date
- Thread

Re: [Ipsec] Reauthentication in IKEv2

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.