FW: DISCUSS: draft-ietf-radext-rfc3576bis

["Romascanu, Dan (Dan)" <dromasca@avaya.com>]

-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf@mit.edu] 
Sent: Thursday, October 18, 2007 2:56 PM
To: iesg@ietf.org
Cc: radext-chairs@tools.ietf.org
Subject: DISCUSS: draft-ietf-radext-rfc3576bis 

Discuss:
The RFC 2401 IPsec model does not actually support the concept of a
security policy entry that is "accept protected traffic but don't
require it."  Some of the suggested policies in the security
considerations section seem to rely on this.  Since we have no mechanism
for an application to find out if traffic is protected, I don't think
that you can actually have a secure setup if you sometimes use IPsec
with a given source and sometimes do not.  Please make the sample
policies consistent with RFC 2401.  Also, please take a look at
draft-bellovin-use-ipsec and include the information specified by that
draft.  You don't seem to say what IKE authentication modes need to be
supported. You may get a long way by referring to RFC 4945.

I'm confused by section 6.2.  Does the attack described there actually
happen if the first-hop proxy uses a different secret for each DAS/NAS
and confirms that the right secret is used?  I.E. confirms that the NAS
identity matches the expected NAS identity for the secret?


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>