[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP Handling in IKEv2

To: "Hannes Tschofenig" <Hannes.Tschofenig@siemens.com>, <ipsec@lists.tislabs.com>
Subject: Re: EAP Handling in IKEv2
From: Charlie_Kaufman@notesdev.ibm.com
Date: Sat, 10 May 2003 18:23:34 -0400
Sender: owner-ipsec@lists.tislabs.com





"Hannes Tschofenig" <Hannes.Tschofenig@siemens.com> wrote:
>in Section 2.16 you mention the mechanism for protecting against
>man-in-the-middle attacks:
>
>" For EAP methods that create a shared key as a side effect of
>authentication, that shared key MUST be used by both the Initiator
>and Responder to generate an AUTH payload using the syntax for shared
>secrets specified in section 2.15. This shared key MUST NOT be used
>for any other purpose."
>
>This covers the case where the EAP method establishes a session key.
>
>Which procedure do you suggest for cases where EAP methods do not create a
>session key such as the One-Time Password (OTP)?

For EAP methods that don't generate session keys, the AUTH payloads are
not sent. I'll make that clearer in the spec.

      --Charlie

Prev by Date: Re: Terminology question: "suites" vs "set of cryptographicalgorithms"
Next by Date: Re: EAP Handling in IKEv2
Prev by thread: RE: EAP Handling in IKEv2
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread