On Thu, May 25, 2006 at 09:24:03PM -0700, Bernard Aboba wrote:
I have other security-related issues on NACP. My view is that secure
enhancement of NACP will be equivalent to the EAP over UDP protocol
the IETF is standardizing, PANA.
Can you describe why the security of PANA is better than EAP over UDP
(NACP)? I had thought that they were more or less equivalent, since
neither approach mandates protection.
NACP does not have its own integrity protection mechanism while PANA
has. It is true that PANA AUTH AVP is optional, but the use of
protection is mandatory when an EAP method that is capable of deriving
keys is used. This is described in the PANA specification draft.
We can discuss security aspects more, but what I would really like to
say in this thread is that discussing usefulness of PANA or any other
EAP transport without deep security analysis does not appear to be the
right thing.
Yoshihiro Ohba
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf