[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The remaining IKEv2 issues

To: Yoav Nir <ynir@CheckPoint.com>
Subject: Re: The remaining IKEv2 issues
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 19 Aug 2003 14:03:54 -0400
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Tue, 19 Aug 2003 10:23:06 +0300." <FA1E512B-D215-11D7-A2AC-000A95834BAA@checkpoint.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Yoav" == Yoav Nir <ynir@CheckPoint.com> writes:
    Yoav> As many times as I read that article, I can't see how this is a
    Yoav> problem.  It makes a very strong assumption, that EAP methods are
    Yoav> used outside of secure tunnels.  IMO this is not true:

  Sure it is, because the problem is not just with non-private uses, but
with the end points as well.

  The point of having that radius-backed token system is that you are using
it for multiple system. The extranet web site would apply. Your assumption
is that every system that is authenticating users is equally trusted.

  You are assuming that the end point of the "secure tunnels" are trusted.
That is, if you are using EAP to authenticate to your "extranet" as well
as your IPsec, then a compromise of *either* system will compromise both
if you are using non-kg EAP.

  This is worse if you have some kind of non-kg EAP system that has multiple
mutually distrusting parties involved. I can easily imagine roaming dialup
ISP stuff, which is all based upon radius proxy that would be involved.

    Yoav> servers, or to connect from home or while on the road.  You do not
    Yoav> use it from home to do things that are not related to IKE.  When at

  Might be true for username/password, but it isn't true about physical
tokens, which are expensive, and the point of "legacy auth" is that people
want to amortize that token across more uses.

    Yoav> work, you log on to the Windows domain controller or to some RADIUS
    Yoav> server, but you do not use EAP.  The only cases where you actually

  How do you know that the domain controller isn't using EAP?

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP0JmiIqHRg3pndX9AQGBQAQAmwheLXX1W73QKMuV448vhTdeDkEqUHD2
u1TzXFYpvGA0blfoAB6aNVnQuqJcm5V5ZKSYJjb1hxM4NIlAoaePTvRAXz8Kb2GD
ncYT6vMLqDPK6q1gFX0L7iwKC5hCQjbiKcQvnhxVe4GBCHUQMNqM8dlwGRaXLAcg
tGWGjCuW9Ys=
=3twK
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: The remaining IKEv2 issues
  - From: Michael Thomas <mat@cisco.com>

References:
- Re: The remaining IKEv2 issues
  - From: Yoav Nir <ynir@CheckPoint.com>

Prev by Date: Re: The remaining IKEv2 issues
Next by Date: No Subject
Prev by thread: Re: The remaining IKEv2 issues
Next by thread: Re: The remaining IKEv2 issues
Index(es):
- Date
- Thread