[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: RADIUS-Mobile IP support??: RADEXT WG Charter
Kuntal,
As far as I understood, the secrets are hashed with MN-AAA keys.
Any key distribution method that happens on-line has to be done this way.
Also the secrets are only needed for the duration of Mobile's visit
to the foreign network. How is that more long lived than a key established during IKE?
Madjid
-----Original Message-----
From: Kuntal Chowdhury [mailto:chowdury@nortelnetworks.com]
Sent: Wednesday, May 19, 2004 5:18 PM
To: Charles E. Perkins; Nakhjiri Madjid-MNAKHJI1
Cc: radiusext@ops.ietf.org; Pete McCann; tom.hiller@lucent.com
Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
Charlie,
sending a users (static or long lived) shared-secret over the wire opens up
for attacks. If the MN-HA shared secret is compromised, MIP4 will run into
serious security issue. That's why it is a bad idea.
-Kuntal
>-----Original Message-----
>From: Charles E. Perkins [mailto:charliep@iprg.nokia.com]
>Sent: Wednesday, May 19, 2004 5:11 PM
>To: Nakhjiri Madjid-MNAKHJI1
>Cc: Chowdhury, Kuntal [RICH1:2H18:EXCH];
>radiusext@ops.ietf.org; Pete McCann; tom.hiller@lucent.com
>Subject: RE: RADIUS-Mobile IP support??: RADEXT WG Charter
>
>
>
>Hello folks,
>
>Since I'm receiving these e-mails, perhaps someone could enlighten me:
>
>>2. The distribution of MN-HA shared-secret to the HA (from
>HAAAs) is a
>>bad practice. We are not doing that for MIP6 and we may fix that in a
>>bug fix release for MIP4.
>>
>>
>Why is this a bad idea?
>
>I thought it was pretty good, actually...
>
>
>Regards,
>Charlie P.
>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>