[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Secure legacy authentication for IKEv2

To: ipsec@lists.tislabs.com
Subject: RE: Secure legacy authentication for IKEv2
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Fri, 20 Dec 2002 14:17:12 -0800
In-Reply-To: <C9588551DE135A41AA2626CB6453093738EEFA@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>
References: <C9588551DE135A41AA2626CB6453093738EEFA@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>
Sender: owner-ipsec@lists.tislabs.com

At 12:52 PM -0800 12/20/02, William Dixon wrote:
>Paul, why wasn't an EAP encapsulation chosen in a similar manner as PIC
>?  It seems you are re-inventing EAP types here.  For every new or
>different auth method type, you'd have to define a new one in the IKEv2
>spec.

If we used EAP, we would be susceptible to the man-in-the-middle 
attack described at 
<http://www.ietf.org/internet-drafts/draft-puthenkulam-eap-binding-01.txt>. 
The "EAP and EAP-like problem" is being discussed in many places, and 
is one of the things that is holding up PIC as well.

Dan and Derrell decided that the danger of mis-use of EAP was more 
worrisome than the need for automatic extensibility. Note that SLA 
already covers all of the methods that are covered by XAUTH, and 
there haven't been any calls in a quite a while for new XAUTH methods.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- RE: Secure legacy authentication for IKEv2
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:
- RE: Secure legacy authentication for IKEv2
  - From: "William Dixon" <wdixon@windows.microsoft.com>

Prev by Date: Re: Secure legacy authentication for IKEv2
Next by Date: Re: Summary of revised identity changes
Prev by thread: Re: Secure legacy authentication for IKEv2
Next by thread: RE: Secure legacy authentication for IKEv2
Index(es):
- Date
- Thread