> -----Original Message----- > From: Hao Zhou (hzhou) [mailto:hz...@cisco.com] > Sent: Thursday, October 04, 2012 3:06 PM > To: Jim Schaad; emu@ietf.org; draft-ietf-emu-eap-tunnel- > met...@tools.ietf.org > Subject: Re: [Emu] More COmments 2 on eap-tunnel-method > > Jim: > > Please see comments below. > > On 10/1/12 1:10 PM, "Jim Schaad" <i...@augustcellars.com> wrote: > > >I found two that I forgot to include in the last message > > > >1. When exporting the user-id, does there need to be a way to > >distinguish at export time between the different types of ids that are > >authenticated by the server? This does not seem to be an issue on the > >peer as it will only do mutual authentication to servers and thus only > >have server ids, however a server may authenticate to different types > >of identities on the peer. At the moment we have identified user and > >machines as types of entities to be identified, I suppose in the future > >we could add Ewoks as a different type of entity that could be > >identified. However the export function of user-ids does not make a > >distinction between the different types of authenticated entities. > >Should it do so or should it just export user authentications? > [HZ] It helps to export the identities as well as the corresponding identity > types (from the Identity Type TLV). Will add text. > > > >2. Is there a map of TLVs that should not be sent together or need to > >be processed in a specific order? The case I was looking at was for > >the Identity TLV and the EAP TLV. Is there a difference in how a peer > >should react for the following? > > > > Identity TLV (Send me a machine Identity), EAP TLV (Start the EAP > >type > >XX) > > EAP TLV (Start EAP type XXX), Identity TLV (Send me a machine > >Identity) > > > >Or should these two TLVs never occur in a single message? > [HZ] We had some discussion in WG and take the design principal of TLV > ordering should not matter. We disallow simultaneous EAP inner methods > and/or with Basic Password Authentication, so rest of the TLVs order should > not matter. If it does matter, it should be a nested TLV, as in Result TLV and > Request-Action TLV. Need to add text to disallow Inner EAP method with > parallel Basic Password Authentication TLV.
[JLS] If order of TLVs does not matter, then there is an implied order that the TLVs should be processed. That is one should always process the Identity TLV before processing the EAP TLV as the identity TLV is a hint to the type of identity that is to be used in the EAP method. Conversely it might be that these two TLVs should never occur in the same message. Ditto with the Basic Password Authentication TLV and the Identity TLV. Jim > > > >Jim > > > > > >_______________________________________________ > >Emu mailing list > >Emu@ietf.org > >https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
