[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The remaining IKEv2 issues

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: The remaining IKEv2 issues
From: Michael Thomas <mat@cisco.com>
Date: Tue, 19 Aug 2003 14:19:44 -0700 (PDT)
Cc: Yoav Nir <ynir@CheckPoint.com>, ipsec@lists.tislabs.com
In-Reply-To: <30952.1061316234@marajade.sandelman.ottawa.on.ca>
References: <FA1E512B-D215-11D7-A2AC-000A95834BAA@checkpoint.com><30952.1061316234@marajade.sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com


Sorry if I've lamely missed this, but can somebody
in a nutshell describe the attack here? I'm not
quite groking what's being discussed here...

	      Mike

Michael Richardson writes:
 > -----BEGIN PGP SIGNED MESSAGE-----
 > 
 > 
 > >>>>> "Yoav" == Yoav Nir <ynir@CheckPoint.com> writes:
 >     Yoav> As many times as I read that article, I can't see how this is a
 >     Yoav> problem.  It makes a very strong assumption, that EAP methods are
 >     Yoav> used outside of secure tunnels.  IMO this is not true:
 > 
 >   Sure it is, because the problem is not just with non-private uses, but
 > with the end points as well.
 > 
 >   The point of having that radius-backed token system is that you are using
 > it for multiple system. The extranet web site would apply. Your assumption
 > is that every system that is authenticating users is equally trusted.
 > 
 >   You are assuming that the end point of the "secure tunnels" are trusted.
 > That is, if you are using EAP to authenticate to your "extranet" as well
 > as your IPsec, then a compromise of *either* system will compromise both
 > if you are using non-kg EAP.
 > 
 >   This is worse if you have some kind of non-kg EAP system that has multiple
 > mutually distrusting parties involved. I can easily imagine roaming dialup
 > ISP stuff, which is all based upon radius proxy that would be involved.
 > 
 >     Yoav> servers, or to connect from home or while on the road.  You do not
 >     Yoav> use it from home to do things that are not related to IKE.  When at
 > 
 >   Might be true for username/password, but it isn't true about physical
 > tokens, which are expensive, and the point of "legacy auth" is that people
 > want to amortize that token across more uses.
 > 
 >     Yoav> work, you log on to the Windows domain controller or to some RADIUS
 >     Yoav> server, but you do not use EAP.  The only cases where you actually
 > 
 >   How do you know that the domain controller isn't using EAP?
 > 
 > ]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
 > ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
 > ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
 > ] panic("Just another Debian/notebook using, kernel hacking, security guy");  [
 > -----BEGIN PGP SIGNATURE-----
 > Version: GnuPG v1.2.2 (GNU/Linux)
 > Comment: Finger me for keys - custom hacks make this fully PGP2 compat
 > 
 > iQCVAwUBP0JmiIqHRg3pndX9AQGBQAQAmwheLXX1W73QKMuV448vhTdeDkEqUHD2
 > u1TzXFYpvGA0blfoAB6aNVnQuqJcm5V5ZKSYJjb1hxM4NIlAoaePTvRAXz8Kb2GD
 > ncYT6vMLqDPK6q1gFX0L7iwKC5hCQjbiKcQvnhxVe4GBCHUQMNqM8dlwGRaXLAcg
 > tGWGjCuW9Ys=
 > =3twK
 > -----END PGP SIGNATURE-----

Follow-Ups:
- Re: The remaining IKEv2 issues
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: The remaining IKEv2 issues
  - From: Jari Arkko <jari.arkko@kolumbus.fi>

References:
- Re: The remaining IKEv2 issues
  - From: Yoav Nir <ynir@CheckPoint.com>
- Re: The remaining IKEv2 issues
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: The remaining IKEv2 issues
Next by Date: EAP-IKEv2 MITM prevention (Was: Re: The remaining IKEv2 issues)
Prev by thread: Re: The remaining IKEv2 issues
Next by thread: Re: The remaining IKEv2 issues
Index(es):
- Date
- Thread