> > >>>>> "Narayanan," == Narayanan, Vidya <vidyan@xxxxxxxxxxxx> writes: > Narayanan,> I fully agree. As far as I can tell, using EAP in this > Narayanan,> manner merely reduces it to a posture transport > Narayanan,> protocol. The level of security provided by EAPoUDP > Narayanan,> does not seem to be any greater than a kerberos-based > Narayanan,> authentication done today in most enterprise networks, > Narayanan,> considering the presence of switched ethernet. Hence, > Narayanan,> the only reason to move to EAPoUDP would be to check > Narayanan,> posture and I agree with Sam that making EAP the > Narayanan,> posture transport protocol is a bad idea. > > Hey! > Speaking as MIT's manager for Kerberos, I'm insulted:-) > > We certainly recommend and the Kerberos protocols I'm aware > of almost all support using Kerberos to actually key > integrity protection or confidentiality. Use in enterprise > networks for LDAP, SMTP, file sharing all support and use > binding of integrity or confidentiality. > > > We strongly discourage the use of Kerberos without integrity > bound to the authentication. > > There are a number of cases where Kerberos is used in a > manner similar to radius/diameter, but that's really more for > convenience to have your passwords in one place than because > you're making good use of Kerberos. You're not making bad > use of Kerberos per se, but you certainly could be providing > a lot better security. > Perhaps I should have clarified better in my email :) I am not at all disputing that Kerberos provides higher level of security when used with integrity protection or confidentiality keys bound to the authentication. The point I was trying to make was that *even* when Kerberos is only used for authentication (without any key binding), it provides as much security as using EAPoUDP for authentication as is being discussed here. Hence, even in that scenario, I see no advantage in doing EAPoUDP (other than to transport posture data as is being perceived in the NEA work). Regards, Vidya _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf