|Main Archive Page > Month Archives > ipsec archives|
> Thus, this starts the two-week WG Last Call on "An Extension for
> EAP-Only Authentication in IKEv2",
> <http://tools.ietf.org/html/draft-ietf-ipsecme-eap-mutual-01>. Please
> send any comments on the document to the mailing list. Support,
> criticism, and suggestions for additions or changes are all
> appropriate. At a minimum, I would like to see a handful of people say
> "I have read the draft".
We have added experimental support for this draft to version 4.3.6 of
our strongSwan open source IKEv2 daemon.
I think the draft looks good from an implementors perspective, here some
- Section 4 lists two requirements for EAP methods: mutual
authentication and key generation. As noted in section 6.3, an active
attacker can intercept plain EAP packets. I think it would be a good
idea to add a "dictionary-attack-resistant" property to the requirement
list. There are methods that have the other two properties, but are not
a good candidate for use with this draft. The widely deployed
EAP-MSCHAPv2 is such an example. Using it with the draft will highly
degrade the security of the IKEv2 protocol.
- The example of using EAP-GSS with with Kerberos in section 2 to
replace KINK is probably not the best one for the reason above. Or is
this combination in the end any more secure than using IKEv2 PSK with
- What's the reason for not adding EAP-TLS to the list of save methods?
I think EAP-TLS is a perfect candidate. It might be questionable to use
TLS within IKEv2 at all, but there actually are higher level protocols
that exactly use this combination. EAP-SIM is another candidate probably
worth to mention, having very similar properties as EAP-AKA.
- Section 3:
> If the responder supports this notification, it omits the public key
> based AUTH payload and CERT payloads from message 4.
This might be misleading, as the responder can ignore this notify even
if it supports the extension. This would make sense if the selected EAP
method does not have the required properties. "May omit"?
IPsec mailing list