[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: EAP-IKEv2 MITM prevention (Was: Re: The remaining IKEv2 issues)
Uri Blumenthal writes:
> In short. I disagree with Charlie wrt. the reasons EAP was
> included. In my view it was not to be able to reuse the old
> METHODS - but to reuse the old CREDENTIALS.
>
> The exact "grinder" through which those credentials are
> run, IMHO doesn't really matter to the users.
Uri,
Having been through this once before in the SIP
world, there were really two considerations:
1) reuse of credentials as you state
2) keeping the AAA clueless that any of this
is going on.
In particular, there was a large desire in SIP to
have CHAP, etc, instead of HTTP-digest so that the
blob delivered to the AAA would be
indistinguishable from, oh say, a PPP-dialin
authentication request. So in that case, the
grinder in fact did figure pretty largely in
people's considerations as CHAP and http-digest
are essentially the same thing except for the bits
on the wire.
This was a few years ago and maybe the AAA servers
have been upgraded to be more accommodating, so
take this with a grain of salt.
Mike