[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do ipsec vendors care about privacy?

To: ipsec@lists.tislabs.com
Subject: Re: Do ipsec vendors care about privacy?
From: Antonio Forzieri <antonio.forzieri@cefriel.it>
Date: Mon, 24 Mar 2003 16:15:44 +0100
In-Reply-To: <000201c2f203$0ed44050$292e1dc2@YnirNew>
References: <000201c2f203$0ed44050$292e1dc2@YnirNew>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

Yoav Nir wrote:
> I like the EAPC idea, although I am not sure that it will actually solve a
> real problem.  Ususally Alice has only one means of authenticating herself
> (she doesn't have a smart card, in addition to a token card and the password
> that she remembers).  Still, if two implementations support a user-password
> scheme, but one calls it MD5 while the other calls it GTC, it would be nice
> to know at the end of the first message.
Agreed. We can use EAPC to make Bob possible send the right EAP message 
in IKEv2 Message 4. So if the initiator sends EAPC(MD5), Bob will send 
in message 4 a EAP(Request,MD5).

> As for making the IDr in message 3 mandatory for SLA, I think that is a good
> idea that solves our polling attack concern.  I think the draft should not
> prohibit using an ID_IPV4_ADDR, but it should recommend (at the SHOULD
> level) to use some sort of DN or if none exists, and FQDN.  Someone might
> want to set up a gateway that anybody can connect to.
It sounds fine for me... What do the others think about?

> You mentioned that "... what seems to me harder to solve is that many EAP
> methods require a valid Identity before sending the first EAP message".
> What EAP methods are those? 
The right question we have to ask to ourselves is:
*What authentication method we will use in IKEv2_EAP?*
*Which of these methods will require ID before sending an EAP message?*
I don't know all the methods EAP supports, however I know that OTP will 
not work without knowing IDi. MD5 and SecureID should work without any 
problem and GTC (which I don't know) should work. But what about 
Defender Token (AXENT), Arcot Systems EAP, CRYPTOCard, DynamID, 
Sentrinet and all the other methods supported in EAP?
Of course I think that we aren't going to support RSA PKA, or Smartcard, 
we can use them directly in IKEv2, without using EAP!
[SNIP]

If the answer is that there are few authentication method that needs to 
know IDi, than let's leave the things as they are, and for that methods 
use 1RTT more. (EAP(Request,Identity) in message 4).
[SNIP]

> Yoav

-- 
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@cefriel.it
ICQ# 177683894
------------------------------------------------

Follow-Ups:
- RE: Do ipsec vendors care about privacy?
  - From: "Yoav Nir" <ynir@CheckPoint.com>

References:
- RE: Do ipsec vendors care about privacy?
  - From: "Yoav Nir" <ynir@CheckPoint.com>

Prev by Date: Re: AES-based PRF for IKEv2
Next by Date: Re: Do ipsec vendors care about privacy?
Prev by thread: RE: Do ipsec vendors care about privacy?
Next by thread: RE: Do ipsec vendors care about privacy?
Index(es):
- Date
- Thread