eap Mailing List: RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt

[Glen Zorn (gwz) (gwz]

Adrangi, Farid <mailto:farid.adrangi [at] intel.com> supposedly
scribbled:

> Thanks Geln.  Please see my comments inline.
> Farid
> 
>> -----Original Message-----
>> From: Glen Zorn (gwz) [mailto:gwz [at] cisco.com]
>> Sent: Friday, February 11, 2005 6:25 PM
>> To: gwz [at] cisco.com; Adrangi, Farid; iesg [at] ietf.org
>> Cc: Lortz, Victor; farooq.bari [at] attws.com; Pasi.Eronen [at] nokia.com;
>> eap [at] frascone.com Subject: RE: [eap] RE: Comments on
>> draft-adrangi-eap-network-discovery-07.txt
>> 
>> 
>> Glen Zorn (gwz) <> supposedly scribbled:
>> 
>> ...
>> 
>>>> 
>>>> In security section, we mention possible attack scenarios and
some
>>>> methods to prevent them.  Did we miss any?  What is the attack
>>>> scenario that you have in mind?
>> 
>> Sorry, I missed this one.  It seems that it enables attacks
against
>> the greater network;
> [FA] Right.  But, what are they? We mentioned some in the document
--
> let's identify the ones that we missed. 
>> it's not an attack against your protocol, per se,
> [FA] The draft does not provide any new protocol.  We are using
> existing EAP protocol with no changes. 
> 
>> but it seems that your protocol is giving away (by design) a lot
of
>> information about network topology and even contracts to anybody
who
>> happens along.
> 
> [FA] yes, roaming partners of the access network is given away.
So,
> let's identify how MITM 

This isn't a man-in-the-middle attack; I don't have to eavesdrop, I
just have to ask.  

> can take advantage of the information and
> attack the network, in addition to what we already mentioned it in
> the draft. 

Did you mention this in the draft?  I must have missed it.  In any
case, how many attacks are enabled by having access to a network and
knowing which network it is?  Suppose that one of the realms being
advertised is intel.com.  That's wonderful!  I don't have to
war-dial (or -drive) to find a way into Intel's network, it's right
there in the comfort of my local Starbucks, advertised for all to
see!  Of course, I don't have credentials, but a user ID should be
easy to come by.  Maybe I can't get inside the Intel network easily,
but let's see, if I fail authentication n times, will the account be
disabled?  That should provide a little entertainment!  The point
is, this draft (by design) opens a hole that wasn't there before.
How big a truck can be driven through it remains to be seen...

> 
>>  That's almost never a good idea.  It would be far less revealing
if
>> the EAP peer were to send a list of realms it was willing to use.
>> 
>> Hope this helps,
>> 
>> ~gwz
>> 
>> Why is it that most of the world's problems can't be solved by
simply
>>   listening to John Coltrane? -- Henry Gabriel

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by
simply
  listening to John Coltrane? -- Henry Gabriel