>>>>> "Narayanan," == Narayanan, Vidya <vidyan@xxxxxxxxxxxx> writes:
Narayanan,> I fully agree. As far as I can tell, using EAP in this
Narayanan,> manner merely reduces it to a posture transport
Narayanan,> protocol. The level of security provided by EAPoUDP
Narayanan,> does not seem to be any greater than a kerberos-based
Narayanan,> authentication done today in most enterprise networks,
Narayanan,> considering the presence of switched ethernet. Hence,
Narayanan,> the only reason to move to EAPoUDP would be to check
Narayanan,> posture and I agree with Sam that making EAP the
Narayanan,> posture transport protocol is a bad idea.
Hey!
Speaking as MIT's manager for Kerberos, I'm insulted:-)
We certainly recommend and the Kerberos protocols I'm aware of almost
all support using Kerberos to actually key integrity protection or
confidentiality. Use in enterprise networks for LDAP, SMTP, file
sharing all support and use binding of integrity or confidentiality.
We strongly discourage the use of Kerberos without integrity bound to
the authentication.
There are a number of cases where Kerberos is used in a manner similar
to radius/diameter, but that's really more for convenience to have
your passwords in one place than because you're making good use of
Kerberos. You're not making bad use of Kerberos per se, but you
certainly could be providing a lot better security.
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf