| Re: Questions for draft-barany-eap-gee-01 | <– Date –> <– Thread –> |
From: Lakshminath Dondeti (ldondeti qualcomm.com)
|
|
| Date: Tue, 13 Jun 2006 00:23:42 -0700 (PDT) | |
Thanks for the explanation. IKEv2 and the use of EAP with that
protocol brings up some interesting issues to fore, and GEE is no
exception. One of the other issues for example is the use of the MSK
is different.
At 10:37 PM 6/12/2006, Quinn Li wrote:
Right, sorry for the oversight. I sort of missed the IKEv2-EAP use case there, although I wonder whether the point about the same authenticator having to demultiplex multiple EAP conversations applies. The other thing to think about is whether the EP would be the same for the multiple authentications.
You seem to be answering this question yourself, below. Please see there for some more thoughts from my end.
I am not sure whether that is the case in most circumstances, but IKEv2 might be an exception, although I will point out that there doesn't seem to be a need for multiple simultaneous EAP authentications in case of IKEv2. Perhaps you have a use case in mind?
This goes to my point earlier about the authenticators being different and/or EPs being different too.
If the same authenticator using IKEv2 has a use case to run multiple simultaneous EAP authentications, the IKEv2-EAP specification would need to be changed to signal it, but GEE could very much be part of the solution to demultiplex the multiple EAP runs.
If there are multiple IKEv2 sessions, you are right, the IKEv2 SA can be used to demultiplex, but binding the two EAP authentications might be difficult, so the multiple IKEv2 sessions might not be a viable solution for multiple parallel EAP authentications and enforcement thereof.
At 10:37 PM 6/12/2006, Quinn Li wrote:
Hi Lakshminath,
Thank you for your immediate response. My comments are included inline.
On 6/13/06, Lakshminath Dondeti <ldondeti [at] qualcomm.com> wrote:Hi,
GEE is not a general purpose authentication protocol. It is a generic EAP encapsulation mechanism that allows demultiplexing of multiple simultaneous EAP conversations between a peer and an authenticator. You say that the draft does describe the MVNO scenarios well, so I guess we can safely conclude that it does its job then.Yes, I know GEE allows demulitplexing multiple EAP conversation. AFAIK, MVNO is currently the only application for GEE. Do you have any other application in your mind?
Not exactly, EAP is supported in Mobile IPv6 authentication.
EAP is not used for IMS or Mobile IPv6 authentication, is it? So, in simple terms, it's not the purpose of the GEE draft to specify support for those services.
Right, sorry for the oversight. I sort of missed the IKEv2-EAP use case there, although I wonder whether the point about the same authenticator having to demultiplex multiple EAP conversations applies. The other thing to think about is whether the EP would be the same for the multiple authentications.
Please refer to section 8 "The use of EAP authentication" in draft-ietf-mip6-ikev2-ipsec. Does that mean GEE draft can support services like Mobile IPv6 as long as it uses EAP authentication? But How?
You seem to be answering this question yourself, below. Please see there for some more thoughts from my end.
With your last statement, are you saying that there is another way to demultiplex multiple parallel EAP exchanges? If so, I would like to read about it. Please share the reference. Thanks.By another way, I mean in most circumstances except MVNO, multiple parallel EAP exchange can be demultiplexed by the underlying protocol of EAP.
I am not sure whether that is the case in most circumstances, but IKEv2 might be an exception, although I will point out that there doesn't seem to be a need for multiple simultaneous EAP authentications in case of IKEv2. Perhaps you have a use case in mind?
For example, if you want to have two Mobile IPv6 authentication done simultaneously, you can initiate two IKE with two different Home Agent.
This goes to my point earlier about the authenticators being different and/or EPs being different too.
If the same authenticator using IKEv2 has a use case to run multiple simultaneous EAP authentications, the IKEv2-EAP specification would need to be changed to signal it, but GEE could very much be part of the solution to demultiplex the multiple EAP runs.
If there are multiple IKEv2 sessions, you are right, the IKEv2 SA can be used to demultiplex, but binding the two EAP authentications might be difficult, so the multiple IKEv2 sessions might not be a viable solution for multiple parallel EAP authentications and enforcement thereof.
regards, Lakshminath
snip
Thanks Qin
- Re: Questions for draft-barany-eap-gee-01, (continued)
-
Re: Questions for draft-barany-eap-gee-01 Cao Zhen, June 1 2006
-
Re: Questions for draft-barany-eap-gee-01 Quinn Li, June 12 2006
- Message not available
- Re: Questions for draft-barany-eap-gee-01 Lakshminath Dondeti, June 12 2006
- Re: Questions for draft-barany-eap-gee-01 Quinn Li, June 12 2006
- Message not available
- Re: Questions for draft-barany-eap-gee-01 Lakshminath Dondeti, June 13 2006
-
Re: Questions for draft-barany-eap-gee-01 Quinn Li, June 12 2006
-
Re: Questions for draft-barany-eap-gee-01 Cao Zhen, June 1 2006
- Re: Questions for draft-barany-eap-gee-01 Alper Yegin, June 13 2006
- Re: Questions for draft-barany-eap-gee-01 Lakshminath Dondeti, June 13 2006
- Re: Questions for draft-barany-eap-gee-01 Alper Yegin, June 15 2006
- Re: Questions for draft-barany-eap-gee-01 Nakhjiri Madjid-MNAKHJI1, June 20 2006
Results generated by Tiger Technologies using MHonArc.