Re: [Ipsec] Reauthentication in IKEv2

To: Bill Sommerfeld <sommerfeld at sun.com>
Subject: Re: [Ipsec] Reauthentication in IKEv2
From: Geoffrey Huang <ghuang at cisco.com>
Date: Thu, 11 Nov 2004 09:07:09 -0800
Cc: ipsec at ietf.org, Pasi.Eronen at nokia.com, Yoav Nir <ynir at checkpoint.com>, Tero Kivinen <kivinen at iki.fi>
In-reply-to: <1100138338.1021.5.camel@unknown.hamachi.org>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <125EA890549C8641A72F3809CB80DCCD17839D@esebe056.ntc.nokia.com> <16773.63589.716356.612414@fireball.kivinen.iki.fi> <DD131697-2BED-11D9-B089-000A95834BAA@checkpoint.com> <4187D91E.2090703@cisco.com> <C922EAD9-315E-11D9-B3C7-000A95834BAA@checkpoint.com> <4192C00B.2010802@cisco.com> <1100138338.1021.5.camel@unknown.hamachi.org>
Sender: ipsec-bounces at ietf.org
User-agent: Mozilla Thunderbird 0.7.1 (X11/20040626)

Bill Sommerfeld wrote:

On Wed, 2004-11-10 at 20:27, Geoffrey Huang wrote:
I can see arguments from both sides, I guess. Even with your re-auth scheme, a value of "0" seconds could mean "do it now," right?
I'd think so; I'd also hope that the encoding should also allow for
"reauth in 8 hours" notifications as well.
As was pointed out in the secsh working group yesterday for a related user-authentication timeout, there are also accessibility concerns here; some people enter text *very* slowly; 3 minutes may not be sufficient for some.

Yes, but as was pointed out earlier, you don't need this "re-auth in X seconds" scheme to achieve this. You could simply have the server send a reauth_now message ahead of time.

I'm not disagreeing with you -- I'm just pointing out that the 2 main schemes I've read about in this thread differ only in *how* they communicate the reauth message. One scheme says "re-auth in X number of seconds," whereas the other simply says "re-auth right now."

-g

						- Bill


_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- RE: [Ipsec] Reauthentication in IKEv2
  - From: Pasi . Eronen
- RE: [Ipsec] Reauthentication in IKEv2
  - From: Tero Kivinen
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Yoav Nir
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Geoffrey Huang
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Yoav Nir
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Geoffrey Huang
- Re: [Ipsec] Reauthentication in IKEv2
  - From: Bill Sommerfeld

Prev by Date: RE: [Ipsec] Query for IPv6 ICV
Next by Date: RE: [Ipsec] Query for IPv6 ICV
Previous by thread: Re: [Ipsec] Reauthentication in IKEv2
Next by thread: [Ipsec] Reauthentication in IKEv2
Index(es):
- Date
- Thread

Re: [Ipsec] Reauthentication in IKEv2

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.