"Narayanan," == Narayanan, Vidya <vidyan(_at_)qualcomm(_dot_)com>
writes:
Narayanan,> I fully agree. As far as I can tell, using EAP in this
Narayanan,> manner merely reduces it to a posture transport
Narayanan,> protocol. The level of security provided by EAPoUDP
Narayanan,> does not seem to be any greater than a kerberos-based
Narayanan,> authentication done today in most enterprise networks,
Narayanan,> considering the presence of switched ethernet. Hence,
Narayanan,> the only reason to move to EAPoUDP would be to check
Narayanan,> posture and I agree with Sam that making EAP the
Narayanan,> posture transport protocol is a bad idea.
Hey!
Speaking as MIT's manager for Kerberos, I'm insulted:-)
We certainly recommend and the Kerberos protocols I'm aware
of almost all support using Kerberos to actually key
integrity protection or confidentiality. Use in enterprise
networks for LDAP, SMTP, file sharing all support and use
binding of integrity or confidentiality.
We strongly discourage the use of Kerberos without integrity
bound to the authentication.
There are a number of cases where Kerberos is used in a
manner similar to radius/diameter, but that's really more for
convenience to have your passwords in one place than because
you're making good use of Kerberos. You're not making bad
use of Kerberos per se, but you certainly could be providing
a lot better security.
Perhaps I should have clarified better in my email :) I am not at all
disputing that Kerberos provides higher level of security when used with
integrity protection or confidentiality keys bound to the
authentication. The point I was trying to make was that *even* when
Kerberos is only used for authentication (without any key binding), it
provides as much security as using EAPoUDP for authentication as is
being discussed here. Hence, even in that scenario, I see no advantage
in doing EAPoUDP (other than to transport posture data as is being
perceived in the NEA work).
Regards,
Vidya
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf