Re: [IPsec] [Cfrg] Beginning discussion on secure password-only authentication for IKEv2
Paul Hoffman <paul.hoffman@vpnc.org> Tue, 02 March 2010 17:51 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F196D3A8A91; Tue, 2 Mar 2010 09:51:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.046
X-Spam-Level:
X-Spam-Status: No, score=-6.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0F8cKX3i2HZ; Tue, 2 Mar 2010 09:51:34 -0800 (PST)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 05B883A898D; Tue, 2 Mar 2010 09:51:33 -0800 (PST)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o22HpUXw038127 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Mar 2010 10:51:31 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624080ec7b30030875e@[10.20.30.158]>
In-Reply-To: <4B8D494F.8010009@gmx.net>
References: <p0624081ac7b20a6459c5@[10.20.30.158]> <4B8D494F.8010009@gmx.net>
Date: Tue, 02 Mar 2010 09:51:29 -0800
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: IPsecme WG <ipsec@ietf.org>, cfrg@irtf.org
Subject: Re: [IPsec] [Cfrg] Beginning discussion on secure password-only authentication for IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 17:51:35 -0000
At 7:22 PM +0200 3/2/10, Hannes Tschofenig wrote: >The challenge I have in understanding the motivation for this work is impacted by ... > >1) EAP is not only meant to be used with backend infrastructure. >2) EAP is an authentication framework and EAP methods exist that support strong-password based authentication. >3) EAP is implemented by folks in IKEv2 already. > >To me it seems that there is the chance to re-use existing mechanisms and to even re-use existing code. Hannes, it is not really appropriate to re-open closed charter issues. As you know, this was already discussed, at length, in the WG. That's why another part of the new charter has: - A standards-track IKEv2 extension to allow mutual EAP-based authentication in IKEv2, eliminating the need for the responder to present a certificate. The document will define the conditions that EAP methods need to fulfill in order to use this extension. The document will recommend, but will not require, the use of EAP methods that provide EAP channel binding. The proposed starting point for this work is draft-eronen-ipsec-ikev2-eap-auth-07.txt. For this thread, please focus on the issues at hand for a secure password-only authentication mode for IKEv2. Thanks! --Paul Hoffman, Director --VPN Consortium
- [IPsec] Beginning discussion on secure password-o… Paul Hoffman
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Hannes Tschofenig
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Paul Hoffman
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Steven M. Bellovin
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Yaron Sheffer
- Re: [IPsec] Beginning discussion on secure passwo… Dan Harkins
- Re: [IPsec] Beginning discussion on secure passwo… Yaron Sheffer
- Re: [IPsec] Beginning discussion on secure passwo… Paul Hoffman
- Re: [IPsec] Beginning discussion on secure passwo… Dan Harkins
- Re: [IPsec] Beginning discussion on secure passwo… Dan Harkins
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Blumenthal, Uri - 0662 - MITLL
- Re: [IPsec] Beginning discussion on secure passwo… Black_David
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Steven M. Bellovin
- Re: [IPsec] Beginning discussion on secure passwo… Dan Harkins
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Steven M. Bellovin
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Black_David
- Re: [IPsec] Beginning discussion on secure passwo… Yaron Sheffer
- Re: [IPsec] Beginning discussion on secure passwo… Yoav Nir
- Re: [IPsec] Beginning discussion on secure passwo… Tero Kivinen
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Blumenthal, Uri - 0662 - MITLL
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Blumenthal, Uri - 0662 - MITLL
- Re: [IPsec] [Cfrg] Beginning discussion on secure… thomwu
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Steven M. Bellovin
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Blumenthal, Uri - 0662 - MITLL
- [IPsec] [Fwd: Re: Beginning discussion on secure … Dan Harkins
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Dan Harkins
- [IPsec] [Fwd: Re: Beginning discussion on secure … Dan Harkins
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Black_David
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Blumenthal, Uri - 0662 - MITLL
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Yaron Sheffer
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Yoav Nir
- Re: [IPsec] [Cfrg] Beginning discussion on secure… Yaron Sheffer