Sifry's Alerts

David,
Good column - I found it quite interesting.

I think the certificate issue is huge. The average consumer will have no desire to deal with certification. Actually - in some respects I'm really surprised that EAP-TLS and now PEAP, has gained traction. In my opinion, certificate management is an enough of an issue that I personally wouldn't let in the door.

However, since PEAP is a Microsoft initiative, it will probably be a market force.

I am a fan of EAP-TTLS - its very secure and does not require a certificate - although it does require client software. But at least client software does not have the same infrastructure management issues as certificates.

Of course both PEAP and EAP-TTLS require RADIUS servers. Can we really imagine the average home user setting up a RADIUS server?

I guess this all goes to show that good security is not simple.

Steph

A very good take on the situation. Like Stephanie, I'm a fan of EAP-TTLS (EAP-TLS if you don't have to worry about folks w/o certs as a corporate PKI infrastructure might have).

What's to stop someone like Linksys or D-Link from adding a mini-RADIUS server/MS-CHAP-V2 combo to their product? (RAM is cheap, embedded processors are beefy enough for a home network implementation). I'm not suggesting this is a good thing (actually, I'm suggesting the exact opposite).

I really wish EAP-TTLS had been given more of a go-round and a chance to live in the wild before the 800-lb gorilla made its move. However, the market forces go way beyond Microsoft for EAP-PEAP. If you take a look at the protocol very closely, you see that it really does work well in - say - a 802.11b "cell tower" type implementation where you seamlessly roam from AP to AP without much overhead on anything. I know this type of roaming it's possible with EAP-TTLS too (and more secure), but it has much more overhead.

The security problems with PEAP (re-read the RFC) still scare me...

A very good take on the situation. Like Stephanie, I'm a fan of EAP-TTLS (EAP-TLS if you don't have to worry about folks w/o certs as a corporate PKI infrastructure might have).

What's to stop someone like Linksys or D-Link from adding a mini-RADIUS server/MS-CHAP-V2 combo to their product? (RAM is cheap, embedded processors are beefy enough for a home network implementation). I'm not suggesting this is a good thing (actually, I'm suggesting the exact opposite).

I really wish EAP-TTLS had been given more of a go-round and a chance to live in the wild before the 800-lb gorilla made its move. However, the market forces go way beyond Microsoft for EAP-PEAP. If you take a look at the protocol very closely, you see that it really does work well in - say - a 802.11b "cell tower" type implementation where you seamlessly roam from AP to AP without much overhead on anything. I know this type of roaming it's possible with EAP-TTLS too (and more secure), but it has much more overhead.

The security problems with PEAP (re-read the RFC) still scare me...

Couple of things I've heard from Microsoft types:

PEAP and 802.11X support will be back ported to the current PocketPC edition. This is mostly so they can use their PocketPC devices around the Microsoft campus! Full support though will need the new new version of PocketPC.

You should be able to do a BSD implimentation of the PEAP stuff. They've published (or are about to) all the specs, but with the usual "no GPL" clause. I guess you'll need to put all the protected stuff in a BSD licencsed program, then call it (as a seperate program, not a license) from your GPL code. Such fun....

hi Steph et al.

First, talking about certificates, EAP-TTLS and PEAP are equal, i.e. neither of the both needs a deployment of client computer certificates. The main text here is correct stating the need for the accept of new server certificates only. Once more: in PEAP no client certificates are needed, just like in TTLS.

Now for RADIUS: being strict, neither TTLS nor PEAP dictate the use of RADIUS. In fact, when you read the drafts, you will find that RADIUS is not even mentioned. It's logical, since RADIUS is the protocol used between the Authentication Server and the NAS and the drafts describe a protocol between the supplicant and the Auth Server. If you want to be even more precise, according to the IEEE 802.1X standard the Authenticator and the Auth Server could be co-located. Their separation is explicitely declared optional.

Practically, however, you are right, but simply because today there is still no alternative to RADIUS. Such an alternative could be DIAMETER or COPS, not meaning that it would become easier to install/manage. Nevertheless, in the future such a "backend server" could be included in whichever wireless box (remaining 802.1X-compliant!), thus making the use of a real backend server unnecessary. I hope, this answers some of your doubts.

The much more interesting problem in my eyes is the question, why MS/Cisco/RSA submit the PEAP draft whereis the TTLS draft has been a draft for a while now. PEAP basically does exactly the same,
we could even say "copies TTLS"... More: in the PEAP draft, there is no word (neither critics nor deficiency nor existence) on TTLS. Now that's really weird.

Greetings,

artur

I've been working in GL integration in the OMG AR/AP project, in ebXML, and in XBRL. There is an uncanny similarity between the GLs in the infrastruc. layers such as DIAMETER and at higher layers of the stack. Individuals need an end-to-end principle between their root ledger and anybody else before they can conduct bus. since nobody ever, in history has ever ever delegated their GL or custody of thei wallet to anybody.

Help us people,
Todd Boyle CPA
editor www.arapxml.net
http://www.gldialtone.com/IETFaccounting.htm
http://www.gldialtone.com/devices.htm