[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The remaining IKEv2 issues

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: The remaining IKEv2 issues
From: Charlie_Kaufman@notesdev.ibm.com
Date: Tue, 19 Aug 2003 21:27:41 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <20934.1061240676@marajade.sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com





Michael Richardson <mcr@sandelman.ottawa.on.ca> wrote on 08/18/2003
05:04:36 PM:
>     Theodore> In addition, given the requirement to support one-time
password
>     Theodore> and Generic Token cards, we can not forbid the use of
non-kg
>     Theodore> EAP schemes.  Hence, given that the MITM attack which was
the
>     Theodore> concern raised by issue #65 is not an issue for IKEv2, we
>     Theodore> believe that this is not something that should hold back
the
>     Theodore> publication of IKEv2 as a Proposed Standard.
>
>   So, the only way to support these kind of things is by using EAP?
>   I'm not complaining, I'm just asking for confirmation.

Yes. IKEv2 natively supports authentication via public key certificate and
by shared secret key. When it was proposed that we add support for OTP and
Token cards, we could see that down that road lay reinventing
authentication
protocols over and over, so we incorporated EAP as the mechanism for any
form of authentication other than public key certificate and shared secret
key.

      --Charlie

References:
- Re: The remaining IKEv2 issues
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: Initiator exposes DOS attack for IKEv2?
Next by Date: Re: The remaining IKEv2 issues
Prev by thread: Re: The remaining IKEv2 issues
Next by thread: EAP-IKEv2 MITM prevention (Was: Re: The remaining IKEv2 issues)
Index(es):
- Date
- Thread