[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP performance

To: mcr@sandelman.ottawa.on.ca
Subject: Re: ISAKMP performance
From: Jim Thompson <jim@hosaka.smallworks.com>
Date: Wed, 16 Jul 1997 10:38:09 -0500
CC: ipsec@tis.com
In-reply-to: <199707161423.RAA03259@morden.sandelman.ottawa.on.ca> (messagefrom Michael Richardson on Wed, 16 Jul 1997 17:23:41 +0300)
Sender: owner-ipsec@ex.tis.com


>  Another way to solve this is to realize that the NAS doesn't store
> the user authentication database locally either. The long term SA
> (spi+keys) can be stored in the radius/tacacs server. This is
> desirable, since the user may login to different NAS servers each
> day. Clearly, the keys need to be protected in transit. IPsec between
> the NAS and authentication server should provide that (or a physically
> secure wire may be appropriate). 

I think its been shown that RADIUS, in particular, isn't anywhere near
secure enough for this.

-- 
Jim Thompson / Smallworks, Inc. / jim@smallworks.com  
      512 338 0619 phone / 512 338 0625 fax
   "Hiroshima '45, Chernobyl '86, Windows '95"

References:

Re: Re[2]: ISAKMP performance

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re[4]: ISAKMP performance
Next by Date: Re: Re[2]: ISAKMP performance
Prev by thread: Re: Re[2]: ISAKMP performance
Next by thread: Re: Re[2]: ISAKMP performance
Index(es):
- Main
- Thread