| RE: Re: Issue 352: Channel Binding Issue | <– Date –> <– Thread –> |
From: Salowey, Joe (jsalowey cisco.com)
|
|
| Date: Tue, 2 May 2006 15:10:56 -0700 (PDT) | |
> As noted in [RFC3748] Section 7.15, this vulnerability can be > addressed by EAP methods that support a protected exchange of channel > properties such as endpoint identifiers, including (but not limited > to): Called-Station-Id [RFC2865][RFC3580], Calling-Station-Id > [RFC2865][RFC3580], NAS-Identifier [RFC2865], NAS-IP-Address > [RFC2865], and NAS-IPv6-Address [RFC3162]. > " > > I'd mention that Channel Binding description in RFC3748 is somewhat > obsolete according to the recent discussion on the AAA server's > requirement on pre-configurating Channel Binding parameters. Do we > need this paragraph? Or instead we may have some explicit text here > to obsolete Channel Binding description in RFC3748. > [Joe] I don't see how this text is obsolete. Channel binding is not just an EAP-keying concept. > > " > Using such a protected exchange, it is possible to match the channel > properties provided by the authenticator via out-of-band mechanisms > against those exchanged within the EAP method. For example, see the > discussion in Section 1.4 as well as [I-D.arkko-eap-service-identity- > auth]. > " > > According to the the AAA server's requirement on pre-configurating > Channel Binding parameters, I don't see the usefulness of > [I-D.arkko-eap-service-identity-auth]. Do we really need this > paragraph? > [Joe] It still seems useful to me. > > " > The main difference between these approaches is that Channel Binding > support within an EAP method may require upgrading or changing the > EAP method, impacting both the peer and the server. Where Channel > Bindings are implemented in AAA, the peer, authenticator and the > backend server need to be upgraded, but the EAP method need not be > modified. > " > > If we have only one Channel Binding method, we don't need this > comparison. [Joe] I don't think this is the place to define one method. > Best regards, > Yoshihiro Ohba > _________________________________________________________________ > To unsubscribe or modify your subscription options, please visit: > http://lists.frascone.com/mailman/listinfo/eap > > Arhives: http://lists.frascone.com/pipermail/eap >
-
Re: Issue 352: Channel Binding Issue Bernard Aboba, May 1 2006
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Bernard Aboba, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Bernard Aboba, May 2 2006
- RE: Re: Issue 352: Channel Binding Issue Salowey, Joe, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
-
RE: Re: Issue 352: Channel Binding Issue Salowey, Joe, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
- Re: Re: Issue 352: Channel Binding Issue Bernard Aboba, May 2 2006
-
Re: Re: Issue 352: Channel Binding Issue Yoshihiro Ohba, May 2 2006
Results generated by Tiger Technologies using MHonArc.