[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP Handling in IKEv2

To: "Hannes Tschofenig" <Hannes.Tschofenig@siemens.com>, <ipsec@lists.tislabs.com>
Subject: Re: EAP Handling in IKEv2
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Date: Wed, 7 May 2003 23:17:16 -0400
Reply-To: <radia.perlman@sun.com>
Sender: owner-ipsec@lists.tislabs.com

If it doesn't create a session key you really can't protect
against man-in-the-middle.

Radia


"Hannes Tschofenig" <Hannes.Tschofenig@siemens.com> wrote:
>Dear all,
>
>
>
>in Section 2.16 you mention the mechanism for protecting against
>man-in-the-middle attacks:
>
>" For EAP methods that create a shared key as a side effect of
>
>authentication, that shared key MUST be used by both the Initiator
>
>and Responder to generate an AUTH payload using the syntax for shared
>
>secrets specified in section 2.15. This shared key MUST NOT be used
>
>for any other purpose.
>
>"
>
>This covers the case where the EAP method establishes a session key.
>
>Which procedure do you suggest for cases where EAP methods do not create a
>session key such as the One-Time Password (OTP)?
>
>
>
>Ciao
>
>Hannes
>

Follow-Ups:
- Re: EAP Handling in IKEv2
  - From: Jari Arkko <jari.arkko@kolumbus.fi>

Prev by Date: Re: ikev2-07: last nits
Next by Date: Re: EAP Handling in IKEv2
Prev by thread: EAP Handling in IKEv2
Next by thread: Re: EAP Handling in IKEv2
Index(es):
- Date
- Thread