[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP Handling in IKEv2

To: Bernard Aboba <aboba@internaut.com>
Subject: Re: EAP Handling in IKEv2
From: Charlie_Kaufman@notesdev.ibm.com
Date: Sat, 10 May 2003 18:46:57 -0400
Cc: Hannes Tschofenig <Hannes.Tschofenig@siemens.com>, ipsec@lists.tislabs.com, Jari Arkko <jari.arkko@kolumbus.fi>, owner-ipsec@lists.tislabs.com, radia.perlman@sun.com
In-Reply-To: <Pine.LNX.4.53.0305072239570.1858@internaut.com>
Sender: owner-ipsec@lists.tislabs.com

Bernard Aboba <aboba@internaut.com> wrote:
> > If so, it may be possible to keep the credentials as they are but
> > replace the existing method with a modified one when running inside
IKEv2.
> > When running outside IKEv2 or other sort of "EAP tunnels", use the
existing
> > method as-is.
>
> Yes, this "modified method" approach is one of the proposals for dealing
> with non-key generating methods.

Uhhh... have I missed something? Where is this proposal? Since IKE does a
Diffie-Hellman exchange, it will have keying material whether EAP generates
a key or not. Using the EAP key protects against MITM attacks. If there is
no EAP key, then I believe there can be no protection for MITM attacks (as
Radia noted). So what did you have in mind?

      --Charlie

Follow-Ups:
- Re: EAP Handling in IKEv2
  - From: Jari Arkko <jari.arkko@kolumbus.fi>

References:
- Re: EAP Handling in IKEv2
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: Re: EAP Handling in IKEv2
Next by Date: RE: EAP Handling in IKEv2
Prev by thread: Re: EAP Handling in IKEv2
Next by thread: Re: EAP Handling in IKEv2
Index(es):
- Date
- Thread