Yes. If certificate based authentication was used in the network, there is no need of new credentials. But if pre-shared key based was used, then we need this "temporary credentials". Also, it is required to define the lifetime of this "temporary credentials". For example, if tunnel between spokes are stays beyond lifetime of SA, then can the same "temporary credentials" can be used for rekey? Or new "temporary credentials" should be received from Hub?
Thanks, Praveen On 3/21/12 2:24 PM, "Yaron Sheffer" <[email protected]> wrote: The point of "temporary credentials" is that if these spokes normally use EAP or PSK to authenticate to the gateway, they cannot use these same credentials to auth to one another (because that would expose each spoke to impersonation by the other one). So to support this scenario we must have some other means of authentication. This raises an interesting question: if the spokes are authenticating with certificates, they could in principle use the same credentials to authenticate to one another. So the "temporary credentials" now become *authorization* tokens, basically conveying to gateway's policy. Do we really want to go down this path? Thanks, Yaron On 03/21/2012 10:43 PM, Geoffrey Huang wrote: > I don't understand what "temporary credentials" means. If the intent is >to have some transitive authentication (or redirection of trust >hierarchy, at least) between a gateway and two spoke devices, which are >trying to establish an ad-hoc connection, then I agree this would be >important to have. > > -geoff > > From: Vishwas >Manral<[email protected]<mailto:[email protected]>> > Date: Wed, 21 Mar 2012 12:24:08 -0700 > To: Steve Hanna<[email protected]<mailto:[email protected]>> > Cc: >"[email protected]<mailto:[email protected]>"<[email protected]<mailto:[email protected] >rg>> > Subject: Re: [IPsec] [ipsecme] #217: Temporary credentials > > Hi Steve, > > I think this is an important requirement for sure. > > Thanks, > Vishwas > > On Tue, Mar 20, 2012 at 6:36 PM, Stephen >Hanna<[email protected]<mailto:[email protected]>> wrote: > Another issue to comment on. > > Steve > > -----Original Message----- > From: ipsecme issue tracker >[mailto:[email protected]<mailto:[email protected]>] > Sent: Tuesday, March 20, 2012 7:01 PM > To: [email protected]<mailto:[email protected]>; >[email protected]<mailto:draft-ietf-ipsecm >[email protected]> > Subject: [ipsecme] #217: Temporary credentials > > #217: Temporary credentials > > Endpoints may require temporary credentials in order to establish a >secure > connection to another endpoint. > > Suggested Resolution: Put this in the requirements section. > > -- > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
