[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP Handling in IKEv2

To: Yoav Nir <ynir@CheckPoint.com>
Subject: Re: EAP Handling in IKEv2
From: Jari Arkko <jari.arkko@kolumbus.fi>
Date: Sun, 11 May 2003 14:21:38 +0300
Cc: ipsec@lists.tislabs.com, owner-ipsec@lists.tislabs.com
In-Reply-To: <003c01c3179d$4c182160$292e1dc2@YnirNew>
References: <003c01c3179d$4c182160$292e1dc2@YnirNew>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030313

Yoav Nir wrote:

> While there seems to be a consensus that kg methods are preferrable, I don't
> believe that we can disallow non-kg methods.  There simply are too many
> authentication schemes and servers out there for us to mandate throwing them
> all away.  The MitM vulnerability should be mentioned and kg methods should
> be recommended over non-kg methods, but disallowing them will lead to
> non-adoption of IKEv2.

Well, I think we have discussed in the past throwing out old legacy
methods, and found that it was clearly not possible.

However, the input we're trying to give now is that there may be
a significant difference with respect to throwing out credentials,
and throwing out methods. I agree that credentials should not be
thrown away.

The replacement of non-kg methods with kg-methods appears easier
though for the following reasons:

    - Existing credentials can be used.

    - All EAP intermediaries (such as AAA proxies or maybe
      the VPN gateway) need no modifications.

    - Clients have to be modified anyway for the introduction
      of IKEv2, so an update of a new auth method code at
      the same time does not appear to be technically infeasible.

    - There already exists methods for this purpose,
      e.g. MS-CHAP can be replaced with EAP MS-CHAPv2
      which does generate keys.

We do need the final AAA server to support the kg method,
and we for every non-kg method we need a corresponding
kg method. I wish I could say something definite about the
likelihood of the availability of this. But I don't agree
that this means throwing out authentication servers. EAP
support on a server seems a fairly reasonable requirement
these days (for wireless LANs etc), so in the worst case
the server needs an update to support a new method. Perhaps
we should also develop a list of common authentication
methods, to see how large fraction of them has corresponding
kg methods. Does anyone who "owns" a particular method
want to step out and say that they don't have or can't
produce a kg variant?

--Jari

Follow-Ups:
- RE: EAP Handling in IKEv2
  - From: "Yoav Nir" <ynir@CheckPoint.com>

References:
- RE: EAP Handling in IKEv2
  - From: "Yoav Nir" <ynir@CheckPoint.com>

Prev by Date: RE: EAP Handling in IKEv2
Next by Date: RE: EAP Handling in IKEv2
Prev by thread: RE: EAP Handling in IKEv2
Next by thread: RE: EAP Handling in IKEv2
Index(es):
- Date
- Thread