Josh Howlett wrote:
> Am I correct in understanding that section 3.3 ('Chained EAP Methods')
> is not a violation of RFC3748 because it only applies to methods run
> *within* the tunnel method itself, and not to other methods that might
> precede or follow the tunnel method? In other words, this is not an
> attempt to change the behaviour stipulated in RFC3748?
That would be my understanding. Section 2.1 of RFC 3748 also says:
Multiple authentication methods within an EAP conversation are not
supported due to their vulnerability to man-in-the-middle attacks
(see Section 7.4) and incompatibility with existing implementations.
And Section 7.4 says:
As noted in Section 2.1, EAP does not permit untunneled sequences of
authentication methods.
Due to MITM attacks, which may be mitigated by:
[b] Requiring cryptographic binding between the EAP tunneling
protocol and the tunneled EAP methods.
Hence the current WG work items on cryptographic binding.
Alan DeKok.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
