Re: WG Review: Recharter of IP Security Maintenance and Extensions (ipsecme)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  Hi Jari,

  I don't believe the simpler solution will increase code size or
complexity when compared to the the reuse EAP solution. In fact,
it will be less on both counts.

  In both cases the core key exchange will have to be implemented
and in both cases some configuration glue will be needed. But in the
reuse EAP solution there is the added code to implement an EAP client
and its accompanying state machine, which no IKEv2 gateway currently
needs to implement. In addition, a true EAP server, and accompanying
state machine, will need to be implemented and IKEv2 gateways will
no longer get away with just being a "pass through authenticator".
The reuse EAP solution will also have to implement some new
fragmentation/reassembly code since EAP methods (like ones supporting
"weak" shared secrets) have to roll-their-own. The reuse EAP solution
will also have to implement other, unneeded, exchanges (which is why the
roundtrips/overhead are greater). When you compare the two, it really
is obvious that trying to use EAP in this case increases code size and
complexity versus just doing the exchange as part of IKE.

  EAP is attractive because it provides a generic authentication solution,
but here there is really only one type of authentication to do-- using a
"weak" shared secret. It is also attractive because authentication can be
centralized with one server serving many network access points. But in
this case both sides must have possession of the shared secret and both
sides must be capable of initiating the exchange so use of a centralized
server is not possible. So all of the attractive features of EAP do not
apply and we're left with the undesirable features of EAP-- duplicate
identity exchanges, yet more fragmentation/reassembly code, and
pointless overhead.

  I don't think it's better architecturally to reuse EAP in this situation.
EAP is a network access protocol where one side attempts to obtain network
access from another. There are strict roles played in EAP. In this
situation there are no roles and creating a host-to-host SA or network-
to-network SA is not really the same thing as obtaining network access.

  There are some things that EAP is not appropriate for and this is
one of them.

  regards,

  Dan.

On Fri, February 19, 2010 5:39 am, Jari Arkko wrote:
> Pasi,
>
> (Adding the working group mailing list to the discussion; previous
> discussion has been at ietf@xxxxxxxxx)
>
>> You're right that implementing a "weak shared secret" EAP method (both
>> the EAP peer and EAP server roles) on both IPsec nodes, combined with
>> the "EAP mutual authentication" work item (also in the new charter)
>> could be used in this situation, and would result in roughly the same
>> functionality (perhaps with slightly more roundtrips/other overhead --
>> but that's probably not a critical factor here).
>>
>
> OK. And yes, I agree about the significance of roundtrips.
>
>> NEW:
>>    However, user-configured shared secrets are still useful for many
>>    other IPsec scenarios, such as authentication between two servers
>>    or routers. These scenarios are usually symmetric: both peers know
>>    the shared secret, no back-end authentication servers are involved,
>>    and either peer can initiate an IKEv2 SA. While it would be
>>    possible to use EAP in such situations (by having both peers
>>    implement both the EAP peer and the EAP server roles of an EAP
>>    method intended for "weak" shared secrets) with the mutual
>>    EAP-based authentication work item (above), a simpler solution may
>>    be desirable in many situations.
>>
>
> This formulation is better than what we had previously. I can live with
> this.
>
> But for the record, I am still surprised that I am the only one worried
> about this. In my view this additional solution, while perhaps simpler
> on its own, will increase code size and complexity for most
> implementations. For instance, a device that serves remote access
> clients has to implement at least parts of EAP. To support
> gateway-gateway weak secrets it now has to add support for another,
> completely different authentication mode and associated configuration
> mechanisms & policies. Architecturally, it would be better to rely on
> few general solutions than to build special case "simpler" solutions
> that taken together, actually become more complex. Not to mention the
> impact on interoperability.
>
> Jari
>
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf
>


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]