[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The remaining IKEv2 issues
Sorry if I've lamely missed this, but can somebody
in a nutshell describe the attack here? I'm not
quite groking what's being discussed here...
Mike
Michael Richardson writes:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "Yoav" == Yoav Nir <ynir@CheckPoint.com> writes:
> Yoav> As many times as I read that article, I can't see how this is a
> Yoav> problem. It makes a very strong assumption, that EAP methods are
> Yoav> used outside of secure tunnels. IMO this is not true:
>
> Sure it is, because the problem is not just with non-private uses, but
> with the end points as well.
>
> The point of having that radius-backed token system is that you are using
> it for multiple system. The extranet web site would apply. Your assumption
> is that every system that is authenticating users is equally trusted.
>
> You are assuming that the end point of the "secure tunnels" are trusted.
> That is, if you are using EAP to authenticate to your "extranet" as well
> as your IPsec, then a compromise of *either* system will compromise both
> if you are using non-kg EAP.
>
> This is worse if you have some kind of non-kg EAP system that has multiple
> mutually distrusting parties involved. I can easily imagine roaming dialup
> ISP stuff, which is all based upon radius proxy that would be involved.
>
> Yoav> servers, or to connect from home or while on the road. You do not
> Yoav> use it from home to do things that are not related to IKE. When at
>
> Might be true for username/password, but it isn't true about physical
> tokens, which are expensive, and the point of "legacy auth" is that people
> want to amortize that token across more uses.
>
> Yoav> work, you log on to the Windows domain controller or to some RADIUS
> Yoav> server, but you do not use EAP. The only cases where you actually
>
> How do you know that the domain controller isn't using EAP?
>
> ] Out and about in Ottawa. hmmm... beer. | firewalls [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
> ] panic("Just another Debian/notebook using, kernel hacking, security guy"); [
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys - custom hacks make this fully PGP2 compat
>
> iQCVAwUBP0JmiIqHRg3pndX9AQGBQAQAmwheLXX1W73QKMuV448vhTdeDkEqUHD2
> u1TzXFYpvGA0blfoAB6aNVnQuqJcm5V5ZKSYJjb1hxM4NIlAoaePTvRAXz8Kb2GD
> ncYT6vMLqDPK6q1gFX0L7iwKC5hCQjbiKcQvnhxVe4GBCHUQMNqM8dlwGRaXLAcg
> tGWGjCuW9Ys=
> =3twK
> -----END PGP SIGNATURE-----