[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE V2 Open Issues



Hugo Krawczyk <hugo@ee.technion.ac.il> writes:

> > 
> > 1) Hugo's proposal to change legacy authentication to protect the
> > initiator's identity against active attacks.  After looking at the
> > discussion, Barbara and I have concluded that the impacts of moving
> > around various protocol elements introduces numerous additional
> > complexities which will be hard to address at this late date.  Russ
> > with his AD hat on set as the bar, "if the changes are the least bit
> > onerous, then this should not be done".  We believe these changes meet
> > that test.
> 
> objection! the above presentation of the complexity incurred by
> the changes needed to suport  user's identity privacy (against
> active attackers)  is inaccurate and misleading. The required changes are
> purely local to the EAP extension of ikev2 and do not touch global
> elements in the protocol nor they impact performance or any
> other aspect of an application/implementation not running the
> EAP extension (for example, if all we do is to move IDi to 5th message).

Note that the responder cannot start the EAP authentication system
until it has an identity from the initiator (or it needs to send an
"EAP Identity Request" which adds yet another round trip).  This is
because the server needs to use the identity to determine what kind of
EAP session to initiate.  This is usually accomplished via an
encapsulation within RADIUS to some AAA server in order to
authenticate the supplicant (using EAP terminology).

Basically, this means that moving IDi to message 5 implies you cannot
start send the EAP Challenge until message 6, which means you're not
done with IKE until at least message 8 (assuming a one-round-trip EAP
protocol).  Are you SURE you want an 8-message protocol?  I'm not sure
this is what we want.

Also, what happens when you turn the protocol around?  I see you're
initiating IKE with server X, so I initiate IKE with you to determine
your identity -- how do you protect your identity there?

Or are you saying that you're putting the identity in different places
based on whether EAP is being used?  Well, how do you know if EAP is
being used if you don't know who your peer is?  I can certainly posit
a server that is configured to use EAP with some subset of peers and
RSA authenticatation with some other subset of peers.  How does the
server (acting as IKE responder) know which sub-protocol to use?

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com