ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Kerberos

2006-05-26 15:11:19
from [Narayanan, Vidya] [Permanent Link] 


"Narayanan," == Narayanan, Vidya <vidyan(_at_)qualcomm(_dot_)com> 
writes:

    Narayanan,> I fully agree. As far as I can tell, using EAP in this
    Narayanan,> manner merely reduces it to a posture transport
    Narayanan,> protocol. The level of security provided by EAPoUDP
    Narayanan,> does not seem to be any greater than a kerberos-based
    Narayanan,> authentication done today in most enterprise networks,
    Narayanan,> considering the presence of switched ethernet. Hence,
    Narayanan,> the only reason to move to EAPoUDP would be to check
    Narayanan,> posture and I agree with Sam that making EAP the
    Narayanan,> posture transport protocol is a bad idea.

Hey!
Speaking as MIT's manager for Kerberos, I'm insulted:-)

We certainly recommend and the Kerberos protocols I'm aware 
of almost all support using Kerberos to actually key 
integrity protection or confidentiality.  Use in enterprise 
networks for LDAP, SMTP, file sharing all support and use 
binding of integrity or confidentiality.


We strongly discourage the use of Kerberos without integrity 
bound to the authentication.

There are a number of cases where Kerberos is used in a 
manner similar to radius/diameter, but that's really more for 
convenience to have your passwords in one place than because 
you're making good use of Kerberos.  You're not making bad 
use of Kerberos per se, but you certainly could be providing 
a lot better security.



Perhaps I should have clarified better in my email :) I am not at all
disputing that Kerberos provides higher level of security when used with
integrity protection or confidentiality keys bound to the
authentication. The point I was trying to make was that *even* when
Kerberos is only used for authentication (without any key binding), it
provides as much security as using EAPoUDP for authentication as is
being discussed here. Hence, even in that scenario, I see no advantage
in doing EAPoUDP (other than to transport posture data as is being
perceived in the NEA work). 

Regards,
Vidya

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: The Emperor Has No Clothes: Is PANA actually useful?, Jari Arkko
Next by Date:  NEA scope (RE: The Emperor Has No Clothes: Is PANA actually useful?), Alper Yegin
Previous by Thread:  AW: The Emperor Has No Clothes: Is PANA actually useful?, Tschofenig, Hannes
Next by Thread:  RE: Kerberos, Narayanan, Vidya
Indexes:  [Date] [Thread] [Top] [All Lists]