| RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt | <– Date –> <– Thread –> |
From: Bari, Farooq (Farooq.Bari cingular.com)
|
|
| Date: Fri, 11 Feb 2005 22:51:21 -0500 (EST) | |
HI Glen, Good to hear from you. Pls see my comments below. -----Original Message----- From: Glen Zorn (gwz) [mailto:gwz [at] cisco.com] Sent: Friday, February 11, 2005 7:13 PM To: 'Adrangi, Farid'; iesg [at] ietf.org Cc: 'Lortz, Victor'; Bari, Farooq; Pasi.Eronen [at] nokia.com; eap [at] frascone.com Subject: RE: [eap] RE: Comments on draft-adrangi-eap-network-discovery-07.txt Adrangi, Farid <mailto:farid.adrangi [at] intel.com> supposedly scribbled: > Thanks Geln. Please see my comments inline. > Farid > >> -----Original Message----- >> From: Glen Zorn (gwz) [mailto:gwz [at] cisco.com] >> Sent: Friday, February 11, 2005 6:25 PM >> To: gwz [at] cisco.com; Adrangi, Farid; iesg [at] ietf.org >> Cc: Lortz, Victor; farooq.bari [at] attws.com; Pasi.Eronen [at] nokia.com; >> eap [at] frascone.com Subject: RE: [eap] RE: Comments on >> draft-adrangi-eap-network-discovery-07.txt >> >> >> Glen Zorn (gwz) <> supposedly scribbled: >> >> ... >> >>>> >>>> In security section, we mention possible attack scenarios and some >>>> methods to prevent them. Did we miss any? What is the attack >>>> scenario that you have in mind? >> >> Sorry, I missed this one. It seems that it enables attacks against >> the greater network; > [FA] Right. But, what are they? We mentioned some in the document -- > let's identify the ones that we missed. >> it's not an attack against your protocol, per se, > [FA] The draft does not provide any new protocol. We are using > existing EAP protocol with no changes. > >> but it seems that your protocol is giving away (by design) a lot of >> information about network topology and even contracts to anybody who >> happens along. > > [FA] yes, roaming partners of the access network is given away. So, > let's identify how MITM This isn't a man-in-the-middle attack; I don't have to eavesdrop, I just have to ask. (FB) so what - should the service providers stop advertising their presence...I am not sure what you are suggesting. If service providers can not announce their presence for fear of an attack then I am not sure how they can serve their customers....should the hot spot operator stop announcing its presence as well for fear of an attack? > can take advantage of the information and > attack the network, in addition to what we already mentioned it in > the draft. Did you mention this in the draft? I must have missed it. In any case, how many attacks are enabled by having access to a network and knowing which network it is? Suppose that one of the realms being advertised is intel.com. That's wonderful! I don't have to war-dial (or -drive) to find a way into Intel's network, it's right there in the comfort of my local Starbucks, advertised for all to see! Of course, I don't have credentials, but a user ID should be easy to come by. Maybe I can't get inside the Intel network easily, but let's see, if I fail authentication n times, will the account be disabled? That should provide a little entertainment! The point is, this draft (by design) opens a hole that wasn't there before. How big a truck can be driven through it remains to be seen... (FB) Again your reasoning is difficult for me to comprehend. All cellular providers for example do advertise their presence e.g via boradcasting a PLMN. That is how the subscribers can get to their networks. This broadcast is visible to all non subscribers as well. Should they stop broadcasting their presence for fear of an attack. I can probably right a very long email on it but I wait for your response as to why do you expect service providers should stop broadcasting their presence ....BTW your example is wrong. Intel till last news is not service provides - service providers on the other hand by default are supposed to interface with both their customers as well as roaming partner customers from all locations including starbucks and Tullys and other small venues like them. > >> That's almost never a good idea. It would be far less revealing if >> the EAP peer were to send a list of realms it was willing to use. >> >> Hope this helps, >> >> ~gwz >> >> Why is it that most of the world's problems can't be solved by simply >> listening to John Coltrane? -- Henry Gabriel Hope this helps, ~gwz Why is it that most of the world's problems can't be solved by simply listening to John Coltrane? -- Henry Gabriel
- RE: Comments on draft-adrangi-eap-network-discovery-07.txt, (continued)
-
RE: Comments on draft-adrangi-eap-network-discovery-07.txt Glen Zorn (gwz), February 11 2005
- RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt Glen Zorn (gwz), February 11 2005
-
RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt Adrangi, Farid, February 11 2005
- RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt Glen Zorn (gwz), February 11 2005
- RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt Bari, Farooq, February 11 2005
- RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt Glen Zorn (gwz), February 11 2005
- RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt Glen Zorn (gwz), February 12 2005
-
RE: Comments on draft-adrangi-eap-network-discovery-07.txt Glen Zorn (gwz), February 11 2005
- RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt Glen Zorn (gwz), February 12 2005
- RE: RE: Comments on draft-adrangi-eap-network-discovery-07.txt Adrangi, Farid, February 12 2005
Results generated by Tiger Technologies using MHonArc.