Re: Radius authentication and client configuration

[Shawn Mamros <smamros@BayNetworks.COM>]

> I am not stating that it should be used for key negotiation, but if Policy
> Server support is required (which I can imagine it would for scalability
> purposes) I would like to propose DIAMETER. I would be happy to have someone
> write whatever extensions are required for the IPSEC WG and can help in this
> area if need be.

One problem which arises in certain situations is that policy/configuration
information may be needed *before* an IPSEC SA can be established.  And
until the IPSEC SAs are set up, it may not be possible to trust that protocols
other than ISAKMP are properly secured.  So, there's a bit of a Catch 22
in doing anything outside of the context of ISAKMP.

By placing policy/configuration setup in ISAKMP (between Phases 1 and 2)
under protection of the ISAKMP SA, Roy's proposal for an ISAKMP Configuration
Method addresses the security needs quite nicely.  That's not to say that
one couldn't base the payload/exchange format on DIAMETER or whatever else
is already out there.  But the ISAKMP SA only protects ISAKMP, and until
the IPSEC SAs are set up, ISAKMP may very well be all you can trust.

-Shawn Mamros
E-mail to: smamros@BayNetworks.com

---

Follow-Ups:

• Re: Radius authentication and client configuration
• From: Gabriel Montenegro <gab@Eng.Sun.Com>
• Re: Radius authentication and client configuration
• From: Robert Moskowitz <rgm-sec@htt-consult.com>

---

• Prev by Date: Re: Radius authentication and client configuration
• Next by Date: Re: VPN mailing list
• Prev by thread: Re: Radius authentication and client configuration
• Next by thread: Re: Radius authentication and client configuration
• Index(es):
  • Main
  • Thread