[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re: EAP-IKEv2 MITM prevention
From:       Bernard Aboba <aboba () internaut ! com>
Date:       2003-08-21 6:43:46
[Download RAW message or body]

>    Yes, that's it exactly -- reality. Note that I'm
>    not defending this, just stating my experience in
>    the matter. My personal observation is that
>    there seems to be a lot of both use for better
>    or worse, and reticence to change people's AAA's.

There is no need to "change" anyone's AAA server to move away from
cleartext passwords, because here are no AAA servers in deployment that
support *only* cleartext passwords.

Cleartext passwords (PAP) were deprecated in PPP long ago, and RADIUS [RFC2865]
servers have supported CHAP for a very, very long time.  So IKEv2 should not be
assuming or requiring support for cleartext passwords.

Cleartext passwords are deprecated in PPP, are not permitted within RFC
2284-defined methods and cannot be supported within RADIUS/EAP without
potentially exposing the cleartext password over the Internet.

> EAP will fail because it is vulnerable to Man-in-the-Middle attacks

The issue is not unique to EAP, and the proposed resolution
for all EAP encapsulations (including IKEv2) is described here:

http://www.ietf.org/internet-drafts/draft-puthenkulam-eap-binding-03.txt

Note that the proposal is to require compliance with the suggested fix in
any EAP-encapsulating protocol -- including IKEv2.  Please read the draft
and send comments to the EAP WG mailing list: eap@frascone.com.

>    Does anybody --  Jari? -- have any idea how the
>    SIP saga ended?

My understanding is that HTTP digest support was widely adopted, to the
point where SIPPING is now looking at standardizing the RADIUS attributes
for HTTP Digest.





[prev in list] [next in list] [prev in thread] [next in thread]