Hi Sam, I was not able to follow the discussion about this particular topic, but I would like to ask a question. The use of EAP authentication over an unprotected link is something we can see over there. In fact, the use of EAP methods that export key material are used to bootstrap a security association at EAP lower-layer.
I was wondering what are the exact implications of not protecting the information until the EAP authentication ends up with a key. If certain particular flags are unset during the conversation because it is not protected, the negotiation should fail, right?. So some sort of denial-of-service problem will raise. Is that what you had in mind?. I say this because, as you may know, there are some EAP lower-layers which does not need to assume that there will be a pre-established protected channel to exchange EAP. Best regards. El 31/03/2011, a las 10:03, Sam Hartman escribió: > > > Folks, during today's meeting we discussed the need for protecting > information exchanged during the context exchange. > > An example of this need would be protecting context flags from the > client to the server. > Some server implementations require that certain context flags be set. > As an example ssh servers following RFC 4462 require the mutual flag be > set. > This needs to be integrity protected. > > There are a number of possible options: > > 1) Integrity protect each token separately. Down side: more complex > especially if tokens need integrity protection that are exchanged before > a key is available. > > 2) Extend our mechanism to depend on a specific hash function. > Disadvantage: requires us dealing with crypto primitives directly . Adds > complexity to specificiation of the mechanisms. > > 3) Provide a gss_getmic or similar of the entire conversation. The > disadvantage here is that the client needs to maintain state sufficient > to hold a copy of the conversation. If there is a stateless server, this > ever-increasing state needs to be transported back and forth for each > message. > > --Sam > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] ------------------------------------------------------- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
