[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Secure legacy authentication for IKEv2

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: RE: Secure legacy authentication for IKEv2
From: Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>
Date: Fri, 20 Dec 2002 14:17:12 -0800
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 12:52 PM -0800 12/20/02, William Dixon wrote:

Paul, why wasn't an EAP encapsulation chosen in a similar manner as PIC
?  It seems you are re-inventing EAP types here.  For every new or
different auth method type, you'd have to define a new one in the IKEv2
spec.

If we used EAP, we would be susceptible to the man-in-the-middle attack described at <http://www.ietf.org/internet-drafts/draft-puthenkulam-eap-binding-01.txt>. The "EAP and EAP-like problem" is being discussed in many places, and is one of the things that is holding up PIC as well.

Dan and Derrell decided that the danger of mis-use of EAP was more worrisome than the need for automatic extensibility. Note that SLA already covers all of the methods that are covered by XAUTH, and there haven't been any calls in a quite a while for new XAUTH methods.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- RE: Secure legacy authentication for IKEv2
  - From: Hugo Krawczyk

References:
- RE: Secure legacy authentication for IKEv2
  - From: William Dixon

Prev by Date: Re: Secure legacy authentication for IKEv2
Next by Date: Re: Summary of revised identity changes
Previous by thread: Re: Secure legacy authentication for IKEv2
Next by thread: RE: Secure legacy authentication for IKEv2
Index(es):
- Date
- Thread