[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The remaining IKEv2 issues

To: ipsec@lists.tislabs.com
Subject: Re: The remaining IKEv2 issues
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 18 Aug 2003 17:04:36 -0400
In-reply-to: Your message of "Mon, 18 Aug 2003 13:18:33 EDT." <E19oneL-0003NU-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Theodore" == Theodore Ts'o <tytso@mit.edu> writes:
    Theodore> The final issue #65, concerns whether or not non key-generating
    Theodore> EAP methods should be supported, in order to avoid a
    Theodore> Man-in-the-middle attack (MITM) attack.  However, as Charlie
    Theodore> has pointed out, as used in IKEv2, the server is authenticated
    Theodore> with a certificate before the authentication code is passed.

  My understanding of the MITM attack on non key-generating EAP methods is
that nothing we do in IKEv2 prevents this. This is because the attack is
not between two IPsec devices, but between different kinds of devices.

  I.e. you do key-less EAP with a web server as part of HTTPS, and the
*web server* then does key-less EAP IKE2, acting a kind of nefarious
algorithm proxy.

  We demand that each end know the generated EAP key so that we can bind the
key to the authenticator used. The above web server wouldn't know the
generated key, so the attack is defeated.

    Theodore> In addition, given the requirement to support one-time password
    Theodore> and Generic Token cards, we can not forbid the use of non-kg
    Theodore> EAP schemes.  Hence, given that the MITM attack which was the
    Theodore> concern raised by issue #65 is not an issue for IKEv2, we
    Theodore> believe that this is not something that should hold back the
    Theodore> publication of IKEv2 as a Proposed Standard.

  So, the only way to support these kind of things is by using EAP?
  I'm not complaining, I'm just asking for confirmation.

    Theodore> closed (or as closed as they are going to be), we believe that
    Theodore> the -10 version is ready for IETF last call, once it the -10
    Theodore> version has been processed by the IETF secretariat.

  wow.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP0E/Y4qHRg3pndX9AQFXWgQA0qqnN3niE1NQOXNOPKxhsGxRodzaQmpc
ko6m3StDaQzbsB4v9TEOGa5KRcQXeNCoYcDn6ZeHeN5C2qkv4V8PpWajMNUr35mL
c49sz8Yjse8VlIJ+snX8KONC3pAH5H/dnqbZ5JV0y62JA7WWSfgvDXcoNBW6hHzE
M81ks/EmnRA=
=f8LX
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: The remaining IKEv2 issues
  - From: Uri Blumenthal <uri@lucent.com>
- Re: The remaining IKEv2 issues
  - From: "Theodore Ts'o" <tytso@mit.edu>
- Re: The remaining IKEv2 issues
  - From: Charlie_Kaufman@notesdev.ibm.com

References:
- The remaining IKEv2 issues
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Initiator exposes DOS attack for IKEv2?
Next by Date: Re: IKEv2 SA rekeying - naming an initial SA
Prev by thread: Re: The remaining IKEv2 issues - #64
Next by thread: Re: The remaining IKEv2 issues
Index(es):
- Date
- Thread