Re: [IPsec] Proposed work item: EAP-only authentication in IKEv2

Tue, 08 Dec 2009 22:12:35 -0800 

Hi Nico,

If I understand you correctly, EAP crypto binding is what IKEv2 provides by 
default, by including the EAP MSK into the IKE AUTH payload (RFC 4306, sec. 
2.16 and 2.15). I believe what Dan is discussing is enabling secure 
transmission of ID parameters over the EAP channel (sorry...), which is exactly 
what RFC 5056 refers to as "EAP channel binding". Is there anything more that's 
needed?

Thanks,
        Yaron

> -----Original Message-----
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
> Nicolas Williams
> Sent: Wednesday, December 09, 2009 4:08
> To: Michael Richardson
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] Proposed work item: EAP-only authentication in IKEv2
> 
> On Thu, Dec 03, 2009 at 10:18:48PM -0500, Michael Richardson wrote:
> > Dan Harkins wrote:
> > >     2. solves the specific problem it is aimed at poorly-- doubling of
> > >        the number of messages, requiring writing and testing of new
> > >        state EAP state machines that are, otherwise, unnecessary; and,
> >
> > Does it double, or does it really just "n+1", which is doubling if the
> > rest of the protocol has "n=1"?  I also wonder if this is really a
> > sufficiently compelling reason to have two sets of code.
> >
> > >     3. is insecure (unless something used nowhere today is employed:
> EAP
> > >        channel bindings).
> >
> > We can, and must solve this.
> 
> It's not just EAP channel binding that you need, but EAP cryptographic
> binding.  Remember: what EAP calls "channel binding" is very different
> from the meaning of "channel binding" used elsewhere (RFC5056 describes
> the difference in terminology); EAP cryptographic binding is closer to
> the more generic (IMO) meaning of channel binding.  (Just trying to
> avoid confusion!)
> 
> Nico
> --
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> Scanned by Check Point Total Security Gateway.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to