Hi all, I would like
to support the idea of protecting the user's identity against active attacks in
IKEv2 for the remote access case (i.e. EAP message exchange), as recently
raised by Hugo, Hannes and Scott. In the
SHAMAN project, we identified this to be an important/essential requirement for
access to future mobile networks. In GSM and UMTS, this is also a
well-established requirement which is "solved" by using temporary
identities (can be circumvented by using "false base station
attacks"). Not protecting the user's identity against active attacks would
mean to ignore long identified security requirements and may allow a bogus
access network to get hold of the user's identity. Best wishes, Scarlet Dr. Scarlet Schwiderski-Grosche Information Security Group Royal Holloway, Egham, Tel.: ++44-1784-443089 |