[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about EAP payload

To: <ipsec@lists.tislabs.com>
Subject: RE: Question about EAP payload
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Date: Sun, 23 Feb 2003 22:58:27 -0500
Reply-To: <radia.perlman@sun.com>
Sender: owner-ipsec@lists.tislabs.com

Clarification...when I said "password in the clear",
it isn't really "in the clear". It's encrypted using
the IKE key created in messages 1 and 2. But from
Bob's point of view, Alice is just sending a raw
password, and Bob has a database of hashed passwords.
I think Phil's response was based on my being
less than clear in my original post (below).

Radia

Radia Perlman - Boston Center for Networking wrote:
> I've been reading the new draft of IKEv2, which
> has not yet been announced, but has been submitted.
> 
> Anyway, under EAP payload, there seems to be
> "OTP", "MD5-challenge", and "generic token card".
> But there doesn't seem to be anything there
> for just plain sending a name and password.
> 
> Is this intentional, perhaps because MD5-challenge
> is considered better? (though it requires the
> server to store a password-equivalent, whereas
> sending password in-the-clear allows the
> server to store hashes of passwords)
> 
> Or is name/password really covered under "generic
> token card", because EAP just passes text back
> and forth, and the server could ask for name
> and password, and the client could send it?
> 
> Radia

Prev by Date: Re: Software Library for programatic implementation of IPSec/IKE
Next by Date: Re: Software Library for programatic implementation of IPSec/IKE
Prev by thread: RE: Question about EAP payload
Next by thread: RE: Question about EAP payload
Index(es):
- Date
- Thread