[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Extended authentication with ISAKMP/Oakley draft

To: rpereira@TimeStep.com
Subject: Extended authentication with ISAKMP/Oakley draft
From: canetti@watson.ibm.com (Ran Canetti)
Date: Fri, 12 Dec 1997 23:20:10 -0500
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com


Dear Roy, 

Reading the new extended authentication within ISAKMP/Oakley draft
(draft-ietf-ipsec-isakmp-xauth-00.txt), I have the following problem.
Why do the extra Secure-ID authentication as part of the ISAKMP/Oakley
key exchange? It seems easier to do the Secure-ID authentication
(that is, the NOTIFY messages) *after* the ISAKMP oakley exchange is
completed. The NOTIFY messages can be then transmitted securely using,
say, ESP. This is a more modular design. In particular:
* You can use *any* ISAKMP/Oakley mode.
* There is no need to modify/add new modes to ISAKMP/Oakley
* This way, the NOTIFY messages can be simplified considerably,
since now they get their authentication from ESP. But this is a concern
of the Secure_ID/RADIUS guys.

True, the cost of this modularity is another 1.5 round trips. But this may
be well worth it. (In ISAKMP we pay much more for modularity and good 
uniform design.)


Ran Canetti

Prev by Date: Re: IPSEC document reading party!
Next by Date: Re: IPSEC document reading party!
Prev by thread: IV generation
Next by thread: RE: Extended authentication with ISAKMP/Oakley draft
Index(es):
- Main
- Thread