eap Mailing List: Re: Proposed Resolution to issue 318: IKEv2

[Bernard Aboba (bernard_aboba]

> > the EAP method that is used. IKEv2 does not cache EAP keying
> > material or parameters, nor does it utilize the EAP Key-Lifetime
> > parameter to determine the lifetime of IPsec SAs. As result,
> > once IKEv2 authentication completes it is assumed that
> > EAP keying material and parameters are discarded.
>
> Hmm. This seems a bit problematic to me. In current AAA,
> we do not have separate MSK and session lifetime attributes;
> we just have one lifetime attribute. The description above
> focuses only on the key lifetime aspects. But I would actually
> like a security gateway to limit the lifetime of the SAs to
> Session-Timeout in RADIUS, even if the lifetime can not be
> communicated to the client.

The above paragraph is referring only to the Key-Lifetime parameter exported 
by EAP methods, not to the Session-Timeout attribute.  With VPN, 
Session-Timeout is used to limit the VPN session time.   However, the point 
is that in this case Session-Timeout does not represent the MSK lifetime, 
which is zero (e.g. MSK is not cached).

Potential rewrite:

the EAP method that is used. IKEv2 does not cache EAP keying
material or parameters. As result,
once IKEv2 authentication completes it is assumed that
EAP keying material and parameters are discarded.
The Session-Timeout attribute is therefore interpretted as a
limit on the VPN session time, rather than an indication of the
MSK key lifetime.