[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP Handling in IKEv2

To: Jari Arkko <jari.arkko@kolumbus.fi>
Subject: Re: EAP Handling in IKEv2
From: Bernard Aboba <aboba@internaut.com>
Date: Mon, 12 May 2003 12:22:24 -0700 (PDT)
cc: Hugo Krawczyk <hugo@ee.technion.ac.il>, IPsec WG <ipsec@lists.tislabs.com>
In-Reply-To: <3EBFF722.7080306@kolumbus.fi>
References: <Pine.GSO.4.21.0305121814240.5516-100000@ee.technion.ac.il><3EBFF722.7080306@kolumbus.fi>
Sender: owner-ipsec@lists.tislabs.com

> > reusing "legacy methods". However, this means that we are willing to
> > *change* the authentication methods traditionally used by the "legacy
> > credentials". If this is a practical approach (namely, it can gain
> > widespread support in corporate organizations, etc) then the solution is
> > very simple and does not require the design of key-generating methods.
> > All is needed is that the modified methods authenticate the "context" in
> > which they are run. Specifically, when run with ikev2 the authenticated
> > information should include a unique "protocol identifier" (such as
> > "ikev2", "rfc-xxxx", "port-yyy", etc). This is the simplest and least
> > "intrusive" solution to the man in the middle problem while allowing use
> > of the same credentials in different contexts.
>
> Yes, this is also one of the proposed approaches for
> dealing with MitM.

I'd like to see this included in the EAP WG MiTM document :(

Hugo -- can we  prevail upon you to do a review of
draft-puthenkulam-eap-binding-02.txt and post this and other relevant
comments to the EAP WG mailing list?

References:
- Re: EAP Handling in IKEv2
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>
- Re: EAP Handling in IKEv2
  - From: Jari Arkko <jari.arkko@kolumbus.fi>

Prev by Date: Re: ikev2-07: last nits
Next by Date: Re: EAP Handling in IKEv2
Prev by thread: Re: EAP Handling in IKEv2
Next by thread: RE: EAP Handling in IKEv2
Index(es):
- Date
- Thread