Re: Secure legacy authentication for IKEv2

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


I didn't understand Dan's scenario, so I asked him if this was what he meant.
So I'll repost it:

the scenario is:

    EAPclient ----- some transport ---- man-in-the-middle ====IKEv2==== gateway
i.e. web-bunny				 ebay.su                        whitehouse.gov
 
Web bunny thinks she is opening her wallet to buy stuff from some new ebay-like
site, and in fact ebay.su uses the credentials to build themselves an IPsec
tunnel to the web-bunny's place of work.
 
Is this the attack? It seems to be because there is no binding in the EAP
inner pieces to something like the IKEv2 cookies or vica-versa.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPhHxIIqHRg3pndX9AQEvdwQAhNhU/WLLVmSiWiiA4+DWg+cwN0ytI+l0
+bZjNKiShxLcSWTojX1TUbJ6yot6KJUYg+PnZb/jrbpmSMSYyfck1JIKmi9190Hf
LgFdshz1jQtU71ZucRFa8plBJhti+qRffqrvQI5lgt1py0q62AalUhYZu2IB12B/
Mj78eDLIUX8=
=/uHl
-----END PGP SIGNATURE-----