| Re: Issue 256: Miscellaneous NITs | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Tue, 19 Oct 2004 09:24:45 -0400 (EDT) | |
Adrangi, Farid wrote:
--Jari
I understand the described attack problem below, but I don't think this
is particularly caused by the proposed solution in this draft. In
option 2 and 3 (described in the draft), the user's identity is exposed
before the mediating network information gets advertised.
I have
nothing against your proposed text but I just wanted to understand the
rationale for adding more information about the attack (which is not
really caused by the proposed solution).
Attacks against weak EAP methods exist in any case, as do the privacy problems of revealing your identity in a cleartext message. However, it seems that "hints" or "advertisements" -- be it at link or EAP layer -- make it possible for attackers to fool the node into thinking that its somewhere else than it really is, hence revealing more information than it would perhaps otherwise reveal.
I don't think this is a big deal -- but it would be something IETF RFCs would typically list in the security considerations section.
But I'll let Bernard speak to the necessity of this change, it was his issue after all. I was just following up on the issue resolutions and checking if everything in the three issues was indeed covered.
--Jari
-
Issue 256: Miscellaneous NITs Bernard Aboba, August 21 2004
-
RE: Issue 256: Miscellaneous NITs Adrangi, Farid, October 19 2004
- Re: Issue 256: Miscellaneous NITs Jari Arkko, October 19 2004
-
RE: Issue 256: Miscellaneous NITs Adrangi, Farid, October 19 2004
-
RE: Issue 256: Miscellaneous NITs Adrangi, Farid, October 20 2004
- Re: Issue 256: Miscellaneous NITs Jari Arkko, October 22 2004
- RE: Issue 256: Miscellaneous NITs Adrangi, Farid, October 22 2004
Results generated by Tiger Technologies using MHonArc.