[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RADIUS-Mobile IP support??: RADEXT WG Charter

To: "'Kuntal Chowdhury'" <chowdury@nortelnetworks.com>, "Charles E. Perkins" <charliep@iprg.nokia.com>
Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
From: "Lila Madour (QA/EMC)" <lila.madour@ericsson.com>
Date: Wed, 19 May 2004 18:08:13 -0500
Cc: Nakhjiri Madjid-MNAKHJI1 <Madjid.Nakhjiri@motorola.com>, radiusext@ops.ietf.org, Pete McCann <mccap@lucent.com>, tom.hiller@lucent.com

If the AAA and the HA are in the same administrative domain, and if we assume it is a secure link between the AAA and the HA, the security issue of distributing the key from the AAAH to the HA may not be critical. 
Lila

-----Original Message-----
From: owner-radiusext@ops.ietf.org
[mailto:owner-radiusext@ops.ietf.org]On Behalf Of Kuntal Chowdhury
Sent: Wednesday, May 19, 2004 6:48 PM
To: Charles E. Perkins
Cc: Nakhjiri Madjid-MNAKHJI1; radiusext@ops.ietf.org; Pete McCann;
tom.hiller@lucent.com
Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter


Charlie,

MN-HA shared secret can be changed every moment or may be static (other end
of the spectrum). Distribution of static pre-configured keys (not derived)
is not a good crypto practice. May be we should ask security area experts to
comment on key distribution.

-Kuntal

>-----Original Message-----
>From: Charles E. Perkins [mailto:charliep@iprg.nokia.com] 
>Sent: Wednesday, May 19, 2004 5:34 PM
>To: Chowdhury, Kuntal [RICH1:2H18:EXCH]
>Cc: Nakhjiri Madjid-MNAKHJI1; radiusext@ops.ietf.org; Pete 
>McCann; tom.hiller@lucent.com
>Subject: Re: RADIUS-Mobile IP support??: RADEXT WG Charter
>
>
>
>Hello Kuntal,
>
>How long is too long?
>
>Doesn't it matter that the secret is passed in a
>way that protects it from onlookers?
>
>Regards,
>Charlie P.
>
>
>Kuntal Chowdhury wrote:
>
>>Charlie,
>>
>>sending a users (static or long lived) shared-secret over the wire 
>>opens up for attacks. If the MN-HA shared secret is compromised, MIP4 
>>will run into serious security issue. That's why it is a bad idea.
>>
>>-Kuntal
>>
>>  
>>
>>>-----Original Message-----
>>>From: Charles E. Perkins [mailto:charliep@iprg.nokia.com]
>>>Sent: Wednesday, May 19, 2004 5:11 PM
>>>To: Nakhjiri Madjid-MNAKHJI1
>>>Cc: Chowdhury, Kuntal [RICH1:2H18:EXCH]; 
>>>radiusext@ops.ietf.org; Pete McCann; tom.hiller@lucent.com
>>>Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
>>>
>>>
>>>
>>>Hello folks,
>>>
>>>Since I'm receiving these e-mails, perhaps someone could 
>enlighten me:
>>>
>>>    
>>>
>>>>2. The distribution of MN-HA shared-secret to the HA (from
>>>>      
>>>>
>>>HAAAs) is a
>>>    
>>>
>>>>bad practice. We are not doing that for MIP6 and we may fix 
>that in a
>>>>bug fix release for MIP4.
>>>> 
>>>>
>>>>      
>>>>
>>>Why is this a bad idea?
>>>
>>>I thought it was pretty good, actually...
>>>
>>>
>>>Regards,
>>>Charlie P.
>>>
>>>    
>>>
>
>

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
Next by Date: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
Previous by thread: Re: RADIUS-Mobile IP support??: RADEXT WG Charter
Next by thread: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
Index(es):
- Date
- Thread