[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RADIUS-Mobile IP support??: RADEXT WG Charter

We cannot assume that the HA and the HAAA server SHALL always be in the same
administrative domain. Moreover, for RADIUS, every proxy in the PATH will
see the MN-HA shared secret. 

Again, this issue should be discussed with security area folks.

-Kuntal

>-----Original Message-----
>From: Lila Madour (QA/EMC) [mailto:lila.madour@ericsson.com] 
>Sent: Wednesday, May 19, 2004 6:08 PM
>To: Chowdhury, Kuntal [RICH1:2H18:EXCH]; Charles E. Perkins
>Cc: Nakhjiri Madjid-MNAKHJI1; radiusext@ops.ietf.org; Pete 
>McCann; tom.hiller@lucent.com
>Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
>
>
>If the AAA and the HA are in the same administrative domain, 
>and if we assume it is a secure link between the AAA and the 
>HA, the security issue of distributing the key from the AAAH 
>to the HA may not be critical. 
>Lila
>
>-----Original Message-----
>From: owner-radiusext@ops.ietf.org 
>[mailto:owner-radiusext@ops.ietf.org]On Behalf Of Kuntal Chowdhury
>Sent: Wednesday, May 19, 2004 6:48 PM
>To: Charles E. Perkins
>Cc: Nakhjiri Madjid-MNAKHJI1; radiusext@ops.ietf.org; Pete 
>McCann; tom.hiller@lucent.com
>Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
>
>
>Charlie,
>
>MN-HA shared secret can be changed every moment or may be 
>static (other end of the spectrum). Distribution of static 
>pre-configured keys (not derived) is not a good crypto 
>practice. May be we should ask security area experts to 
>comment on key distribution.
>
>-Kuntal
>
>>-----Original Message-----
>>From: Charles E. Perkins [mailto:charliep@iprg.nokia.com]
>>Sent: Wednesday, May 19, 2004 5:34 PM
>>To: Chowdhury, Kuntal [RICH1:2H18:EXCH]
>>Cc: Nakhjiri Madjid-MNAKHJI1; radiusext@ops.ietf.org; Pete 
>>McCann; tom.hiller@lucent.com
>>Subject: Re: RADIUS-Mobile IP support??: RADEXT WG Charter
>>
>>
>>
>>Hello Kuntal,
>>
>>How long is too long?
>>
>>Doesn't it matter that the secret is passed in a
>>way that protects it from onlookers?
>>
>>Regards,
>>Charlie P.
>>
>>
>>Kuntal Chowdhury wrote:
>>
>>>Charlie,
>>>
>>>sending a users (static or long lived) shared-secret over the wire
>>>opens up for attacks. If the MN-HA shared secret is 
>compromised, MIP4 
>>>will run into serious security issue. That's why it is a bad idea.
>>>
>>>-Kuntal
>>>
>>>  
>>>
>>>>-----Original Message-----
>>>>From: Charles E. Perkins [mailto:charliep@iprg.nokia.com]
>>>>Sent: Wednesday, May 19, 2004 5:11 PM
>>>>To: Nakhjiri Madjid-MNAKHJI1
>>>>Cc: Chowdhury, Kuntal [RICH1:2H18:EXCH];
>>>>radiusext@ops.ietf.org; Pete McCann; tom.hiller@lucent.com
>>>>Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
>>>>
>>>>
>>>>
>>>>Hello folks,
>>>>
>>>>Since I'm receiving these e-mails, perhaps someone could
>>enlighten me:
>>>>
>>>>    
>>>>
>>>>>2. The distribution of MN-HA shared-secret to the HA (from
>>>>>      
>>>>>
>>>>HAAAs) is a
>>>>    
>>>>
>>>>>bad practice. We are not doing that for MIP6 and we may fix
>>that in a
>>>>>bug fix release for MIP4.
>>>>> 
>>>>>
>>>>>      
>>>>>
>>>>Why is this a bad idea?
>>>>
>>>>I thought it was pretty good, actually...
>>>>
>>>>
>>>>Regards,
>>>>Charlie P.
>>>>
>>>>    
>>>>
>>
>>
>
>--
>to unsubscribe send a message to 
>radiusext-request@ops.ietf.org with the word 'unsubscribe' in 
>a single line as the message text body.
>archive: <http://psg.com/lists/radiusext/>
>

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>