> Hannes is correct, the encrypted transport will only protect against passive > monitoring of the RADIUS traffic. There are two other obvious attacks, > monitoring at intermediate servers and monitoring at the authentication > server itself. And the references are worth reading again. Were they ever > published as an RFC? > The monitoring at intermediate servers and proxies may be mitigated somewhat > by the choice of appropriate EAP methods, in which the user name is > obfuscated in the outer envelope and only revealed to the server in the > encrypted EAP payload.
Good choice of an EAP method will protect the password, and may protect the username (it is up to John Doe on his computing device to configure anonymous outer identities correctly - or not; guess what's the default on most people's brains ;-) ). There is still plenty of metadata to learn from the RADIUS packet, even in the absence of username and password. If you control the intermediary, mobility profiles come easy. Greetings, Stefan Winter > As for the attack against authentication servers, they are somewhat beyond > the reach of the IETF. In fact, if I am not mistaken, the European data > retention rules require that network providers keep that kind of information > available for 18 months, and provide it on request. We can expect similar > rules to appear in other regions. But we should at least try ensure that if > data has to be revealed, this is done with proper process and is applied on a > case by case basis. > > -- Christian Huitema > > gpgkeys: key B6DAD39214387550 not found on keyserver > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
0x8A39DC66.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
