Re: Radius authentication and client configuration

[Robert Moskowitz <rgm-sec@htt-consult.com>]

At 02:42 PM 4/15/98 -0400, Shawn Mamros wrote:

Shawn, thank you for re-capping part of the discussion at IETF for the
list.  Next week, when I get started on the new charter, words like this
will be needed to scope the issues for policy/config information for IPsec.

>
>One problem which arises in certain situations is that policy/configuration
>information may be needed *before* an IPSEC SA can be established.  And
>until the IPSEC SAs are set up, it may not be possible to trust that
protocols
>other than ISAKMP are properly secured.  So, there's a bit of a Catch 22
>in doing anything outside of the context of ISAKMP.
>
>By placing policy/configuration setup in ISAKMP (between Phases 1 and 2)
>under protection of the ISAKMP SA, Roy's proposal for an ISAKMP Configuration
>Method addresses the security needs quite nicely.  That's not to say that
>one couldn't base the payload/exchange format on DIAMETER or whatever else
>is already out there.  But the ISAKMP SA only protects ISAKMP, and until
>the IPSEC SAs are set up, ISAKMP may very well be all you can trust.


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com

---

References:

• Re: Radius authentication and client configuration
• From: Shawn Mamros <smamros@BayNetworks.COM>

---

• Prev by Date: Re: Radius authentication and client configuration
• Next by Date: Re: Radius authentication and client configuration
• Prev by thread: Re: Radius authentication and client configuration
• Next by thread: RE: Radius authentication and client configuration
• Index(es):
  • Main
  • Thread