List Info

Thread: Issue 352: Channel Binding Issue
Issue 352: Channel Binding Issue
user name
 2006-05-02 22:18:20 
 

> As noted in [RFC3748] Section 7.15, this vulnerability
can be
> addressed by EAP methods that support a protected
exchange of channel
> properties such as endpoint identifiers, including (but
not limited
> to): Called-Station-Id [RFC2865][RFC3580],
Calling-Station-Id
> [RFC2865][RFC3580], NAS-Identifier [RFC2865],
NAS-IP-Address
> [RFC2865], and NAS-IPv6-Address [RFC3162].
> "
> 
> I'd mention that Channel Binding description in
RFC3748 is somewhat
> obsolete according to the recent discussion on the AAA
server's
> requirement on pre-configurating Channel Binding
parameters.  Do we
> need this paragraph?  Or instead we may have some
explicit text here
> to obsolete Channel Binding description in RFC3748.
> 
[Joe] I don't see how this text is obsolete.  Channel
binding is not
just an EAP-keying concept. 

> 
> "
> Using such a protected exchange, it is possible to
match the channel
> properties provided by the authenticator via
out-of-band mechanisms
> against those exchanged within the EAP method.  For
example, see the
> discussion in Section 1.4 as well as
[I-D.arkko-eap-service-identity-
> auth].
> "
> 
> According to the the AAA server's requirement on
pre-configurating
> Channel Binding parameters, I don't see the usefulness
of
> [I-D.arkko-eap-service-identity-auth].  Do we really
need this
> paragraph?
> 
[Joe] It still seems useful to me. 


> 
> "
> The main difference between these approaches is that
Channel Binding
> support within an EAP method may require upgrading or
changing the
> EAP method, impacting both the peer and the server.  
Where Channel
> Bindings are implemented in AAA,  the peer,
authenticator and the
> backend server need to be upgraded, but the EAP method
need not be
> modified.
> "
> 
> If we have only one Channel Binding method, we don't
need this
> comparison.

[Joe] I don't think this is the place to define one method.


> Best regards,
> Yoshihiro Ohba
>
____________________________________________________________
_____
> To unsubscribe or modify your subscription options,
please visit:
> http:/
/lists.frascone.com/mailman/listinfo/eap
> 
> Arhives: http://lists.
frascone.com/pipermail/eap
> 
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap
Issue 352: Channel Binding Issue
user name
 2006-05-02 23:18:52 
On Tue, May 02, 2006 at 03:18:20PM -0700, Salowey, Joe
wrote:
>  
> 
> > As noted in [RFC3748] Section 7.15, this
vulnerability can be
> > addressed by EAP methods that support a protected
exchange of channel
> > properties such as endpoint identifiers, including
(but not limited
> > to): Called-Station-Id [RFC2865][RFC3580],
Calling-Station-Id
> > [RFC2865][RFC3580], NAS-Identifier [RFC2865],
NAS-IP-Address
> > [RFC2865], and NAS-IPv6-Address [RFC3162].
> > "
> > 
> > I'd mention that Channel Binding description in
RFC3748 is somewhat
> > obsolete according to the recent discussion on the
AAA server's
> > requirement on pre-configurating Channel Binding
parameters.  Do we
> > need this paragraph?  Or instead we may have some
explicit text here
> > to obsolete Channel Binding description in
RFC3748.
> > 
> [Joe] I don't see how this text is obsolete.  Channel
binding is not
> just an EAP-keying concept. 

I'd say the Channel Binding problem description in RFC3748
is valid,
but the solution described in RFC 3748 would be a bit
obsolete.

> 
> > 
> > "
> > Using such a protected exchange, it is possible to
match the channel
> > properties provided by the authenticator via
out-of-band mechanisms
> > against those exchanged within the EAP method. 
For example, see the
> > discussion in Section 1.4 as well as
[I-D.arkko-eap-service-identity-
> > auth].
> > "
> > 
> > According to the the AAA server's requirement on
pre-configurating
> > Channel Binding parameters, I don't see the
usefulness of
> > [I-D.arkko-eap-service-identity-auth].  Do we
really need this
> > paragraph?
> > 
> [Joe] It still seems useful to me. 

Can you elaborate on how it is useful?

Regards,
Yoshihiro Ohba


> 
> 
> > 
> > "
> > The main difference between these approaches is
that Channel Binding
> > support within an EAP method may require upgrading
or changing the
> > EAP method, impacting both the peer and the
server.   Where Channel
> > Bindings are implemented in AAA,  the peer,
authenticator and the
> > backend server need to be upgraded, but the EAP
method need not be
> > modified.
> > "
> > 
> > If we have only one Channel Binding method, we
don't need this
> > comparison.
> 
> [Joe] I don't think this is the place to define one
method.
> 
> 
> > Best regards,
> > Yoshihiro Ohba
> >
____________________________________________________________
_____
> > To unsubscribe or modify your subscription
options, please visit:
> > http:/
/lists.frascone.com/mailman/listinfo/eap
> > 
> > Arhives: http://lists.
frascone.com/pipermail/eap
> > 
> 
> 
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )