Hi Yaron,
Hi Valery,
Thanks for posting this draft.
One quick comment: the interaction of your proposal with EAP is not clear
to me, i.e. when one peer uses Null auth and the other uses EAP. There are
cases where this should be forbidden (e.g. MSCHAP, where the
unauthenticated peer can mount a dictionary attack) and other cases where
this is OK. Specifically, for the methods listed as "safe" in Sec. 4 of
RFC 5998, I believe this use would be secure.
Actually, I think that NULL Auth should not be used with EAP.
Section 2.16 of RFC5996 states:
In addition to authentication using public key signatures and shared
secrets, IKE supports authentication using methods defined in RFC
3748 [EAP]. Typically, these methods are asymmetric (designed for a
user authenticating to a server), and they may not be mutual. For
this reason, these protocols are typically used to authenticate the
initiator to the responder and MUST be used in conjunction with a
public-key-signature-based authentication of the responder to the
initiator.
I agree with you, that in some cases using NULL Auth with EAP
might be secure, but as IKEv2 already requires responder
to use signature auth with EAP, I don't see any reason to change it.
Do you think it's worth to mention that in the draft and provide
a reference to the text from RFC5996?
Happy holidays!
Yaron
Happy New Year!
Valery.
On 12/24/2013 03:47 PM, Valery Smyslov wrote:
Hi all,
I've just posted a draft, defining NULL Authentication method in IKEv2.
This method may be used for anonymous access or in situations,
when peers don't have any trust relationship, but still want
to get protection at least against passive attacks.
Regards,
Valery.
----- Original Message ----- From: <internet-dra...@ietf.org>
To: "Valery Smyslov" <s...@elvis.ru>; "Valery Smyslov" <s...@elvis.ru>
Sent: Tuesday, December 24, 2013 5:40 PM
Subject: New Version Notification for
draft-smyslov-ipsecme-ikev2-null-auth-00.txt
A new version of I-D, draft-smyslov-ipsecme-ikev2-null-auth-00.txt
has been successfully submitted by Valery Smyslov and posted to the
IETF repository.
Name: draft-smyslov-ipsecme-ikev2-null-auth
Revision: 00
Title: The NULL Authentication Method in IKEv2 Protocol
Document date: 2013-12-24
Group: Individual Submission
Pages: 8
URL:
http://www.ietf.org/internet-drafts/draft-smyslov-ipsecme-ikev2-null-auth-00.txt
Status:
https://datatracker.ietf.org/doc/draft-smyslov-ipsecme-ikev2-null-auth/
Htmlized:
http://tools.ietf.org/html/draft-smyslov-ipsecme-ikev2-null-auth-00
Abstract:
This document defines the NULL Authentication Method for IKEv2
Protocol. This method provides a way to omit peer authentication in
IKEv2 and to explicitely indicate it in the protocol run. This
method may be used to preserve anonymity or in situations, where no
trust relationship exists between the parties.
Please note that it may take a couple of minutes from the time of
submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
