[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: RADIUS-Mobile IP support??: RADEXT WG Charter
Charlie,
MN-HA shared secret can be changed every moment or may be static (other end
of the spectrum). Distribution of static pre-configured keys (not derived)
is not a good crypto practice. May be we should ask security area experts to
comment on key distribution.
-Kuntal
>-----Original Message-----
>From: Charles E. Perkins [mailto:charliep@iprg.nokia.com]
>Sent: Wednesday, May 19, 2004 5:34 PM
>To: Chowdhury, Kuntal [RICH1:2H18:EXCH]
>Cc: Nakhjiri Madjid-MNAKHJI1; radiusext@ops.ietf.org; Pete
>McCann; tom.hiller@lucent.com
>Subject: Re: RADIUS-Mobile IP support??: RADEXT WG Charter
>
>
>
>Hello Kuntal,
>
>How long is too long?
>
>Doesn't it matter that the secret is passed in a
>way that protects it from onlookers?
>
>Regards,
>Charlie P.
>
>
>Kuntal Chowdhury wrote:
>
>>Charlie,
>>
>>sending a users (static or long lived) shared-secret over the wire
>>opens up for attacks. If the MN-HA shared secret is compromised, MIP4
>>will run into serious security issue. That's why it is a bad idea.
>>
>>-Kuntal
>>
>>
>>
>>>-----Original Message-----
>>>From: Charles E. Perkins [mailto:charliep@iprg.nokia.com]
>>>Sent: Wednesday, May 19, 2004 5:11 PM
>>>To: Nakhjiri Madjid-MNAKHJI1
>>>Cc: Chowdhury, Kuntal [RICH1:2H18:EXCH];
>>>radiusext@ops.ietf.org; Pete McCann; tom.hiller@lucent.com
>>>Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
>>>
>>>
>>>
>>>Hello folks,
>>>
>>>Since I'm receiving these e-mails, perhaps someone could
>enlighten me:
>>>
>>>
>>>
>>>>2. The distribution of MN-HA shared-secret to the HA (from
>>>>
>>>>
>>>HAAAs) is a
>>>
>>>
>>>>bad practice. We are not doing that for MIP6 and we may fix
>that in a
>>>>bug fix release for MIP4.
>>>>
>>>>
>>>>
>>>>
>>>Why is this a bad idea?
>>>
>>>I thought it was pretty good, actually...
>>>
>>>
>>>Regards,
>>>Charlie P.
>>>
>>>
>>>
>
>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>