[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: EAP-IKEv2 MITM prevention (Was: Re: The remaining IKEv2 issues)
- To: Michael Thomas <mat@cisco.com>
- Subject: Re: EAP-IKEv2 MITM prevention (Was: Re: The remaining IKEv2 issues)
- From: Uri Blumenthal <uri@lucent.com>
- Date: Wed, 20 Aug 2003 16:54:10 -0400
- Cc: Jari Arkko <jari.arkko@kolumbus.fi>, "Theodore Ts'o" <tytso@mit.edu>, ipsec@lists.tislabs.com, smb@research.att.com, Charlie_Kaufman@notesdev.ibm.com, Bernard Aboba <aboba@internaut.com>
- Organization: Lucent Technologies / Bell Labs
- Original-CC: Jari Arkko <jari.arkko@kolumbus.fi>, "Theodore Ts'o" <tytso@mit.edu>, ipsec@lists.tislabs.com, smb@research.att.com, Charlie_Kaufman@notesdev.ibm.com, Bernard Aboba <aboba@internaut.com>
- References: <E19oneL-0003NU-00@think.thunk.org> <3F42A76A.1050800@kolumbus.fi> <3F43B2B8.2010203@lucent.com> <16195.57195.361779.466156@thomasm-u1.cisco.com>
- Sender: owner-ipsec@lists.tislabs.com
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 (CK-LucentTPES)
On 8/20/2003 4:51 PM, Michael Thomas wrote:
> Uri Blumenthal writes:
> > In short. I disagree with Charlie wrt. the reasons EAP was
> > included. In my view it was not to be able to reuse the old
> > METHODS - but to reuse the old CREDENTIALS.
> >
> > The exact "grinder" through which those credentials are
> > run, IMHO doesn't really matter to the users.
>
> Having been through this once before in the SIP
> world, there were really two considerations:
>
> 1) reuse of credentials as you state
Which is perfectly OK.
> 2) keeping the AAA clueless that any of this
> is going on.
I don't think it's (a) feasible, or (b) desirable. Let's
NOT keep AAA clueless. Especially since in EAP it's the
AAA that will have to actually run the "new" EAP method.
If it means fighting reality as it is - so be it. :-)