On Thu, May 25, 2006 at 09:24:03PM -0700, Bernard Aboba wrote: > > I have other security-related issues on NACP. My view is that secure > > enhancement of NACP will be equivalent to the EAP over UDP protocol > > the IETF is standardizing, PANA. > > Can you describe why the security of PANA is better than EAP over UDP > (NACP)? I had thought that they were more or less equivalent, since > neither approach mandates protection. NACP does not have its own integrity protection mechanism while PANA has. It is true that PANA AUTH AVP is optional, but the use of protection is mandatory when an EAP method that is capable of deriving keys is used. This is described in the PANA specification draft. We can discuss security aspects more, but what I would really like to say in this thread is that discussing usefulness of PANA or any other EAP transport without deep security analysis does not appear to be the right thing. Yoshihiro Ohba _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf