Re: The remaining IKEv2 issues

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes:
    Nicolas> For challenge/response token EAPs one could define a challenge
    Nicolas> based on some derivative of the key exchange.  Thus the client
    Nicolas> could verify that the challenge corresponds to the KE and the
    Nicolas> server could verify that the response corresponds to the
    Nicolas> challenge and if both check out then the KE is authenticated.

  There is a key thing that you should realize: in general, the responder
(aka "gateway") won't be able to derive the appropriate response itself.

     i.e. we can't do something like CHAP.

  The reason is that the gateway will likely have to provide the literal
reply via EAP/Radius to another machine for checking.

  I'm not certain what systems your proposal would work for.
  Not SecureID, not X9.9, not passwords-over-radius.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP0I/yIqHRg3pndX9AQEG0gQAvebuW2tKZrO/DJ7Wp+azOJA5+fePy+BM
qC75cqYwyLoRklFwWNT3GmAwQCOa3iX5iBFFB/o6z6Zj6xbcfZqWZOdPnz0lMpOb
aGo3vwGL8kknYB6a+pxZZL1Vf50SnkASBL3Bp2Ss3akvFlLelhLw+3jXu7M2n+f/
aywNPkYq6v4=
=Xn0O
-----END PGP SIGNATURE-----