[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hybrid Authentication and Remote Access
Since others on this list may have an interest in using
IPSec for remote access scenarios, I'd like to share the
following e-mail exchange with Moshe Litvin.
It is posted here with his permission.
vipul
-----------------------------------------------------------
Date: Mon, 13 Jul 1998 20:42:06 +0300
From: Moshe Litvin <moshe@CheckPoint.COM>
MIME-Version: 1.0
To: Vipul Gupta <vgupta@nobel.eng.sun.com>
CC: moshe@CheckPoint.COM, roy@CheckPoint.COM
Subject: Re: Your draft on Hybrid Authentication
Content-Transfer-Encoding: 7bit
Vipul Gupta wrote:
> Hello,
>
> I read your draft titled "A Hybrid Authentication Mode
> for IKE" with great interest. I am very interested in the
> use of IPSec fro remote access scenarios myself and see
> your draft as supplying a crucial missing piece (if you
> could review draft-gupta-ipsec-remote-access-00.txt and
> send me feedback, I'd appreciate it).
>
> What is your opinion regarding draft-ietf-ipsec-isakmp
> -xauth-02.txt which also describes the use of token cards
> and one-time passwords for authentication with ISAKMP?
> That draft assumes that the OTP/token card interaction
> occurs *after* a phase one ISAKMP SA has already been
> established (i.e. the ISAKMP negotiators have already
> authenticated themselves mutually). With these assumptions,
> it isn't clear to me that there are many scenarios where
> the xauth draft will be applicable.
>
> Your draft proposed the use of existing authentication
> mechanisms like token cards etc for Phase I SA establishment
> and seems to have wider applicability. Any comments/feedback
> appreciated.
>
> Thanks,
>
> vipul
>
> --
> Vipul Gupta, Ph.D.
> Mailstop UMPK15-214
> Sun Microsystems Inc. Email: vipul.gupta@Eng.Sun.COM
> 901 San Antonio Road Tel: +1 (650) 786 3614
> Palo Alto CA 94303-4900 Fax: +1 (650) 786 6445
I think that the hybrid mode has several advantages over ISAKMP/XAUTH.
There is reason that you stated that ISAKMP/XAUTH can be done only after
phase 1, so we have the problem of established ISAKMP SA which is yet
completely secure because the ISAKMP/XAUTH hadn't started.
It also has security advantage that are gained through the use of public
keys, without the need for a full blown PKI as in the case of the full
public keys modes.
The most natural way to apply ISAKMP/XAUTH is to have a PHASE 1
authenticated by pre-shared secrets (because if you can do something
more powerful in phase 1 you probably don't want ISAKMP/XAUTH) and then
authenticate only the user with the ISAKMP/XAUTH.
But since a user must remember the pre-shared secret is is vulnerable to
dictionary attacks, and without the pre-shared secret there is no server
authentication and you are vulnerable to man in the middle attack.
I also read your draft, and found that when we designed our remote
access solution (SecuRemote) we encountered the same problems and we
implemented/will implement most of the solutions that you suggested.
As for the configuration problem we don't think that a manual
configuration of which gateway protects which hosts is feasible, the
configuration is to complicated for the normal end user, especially
where there are a lot of networks and gateways. I believe that standard
way of fetching that configuration information is a must for an inter
operable remote access solution.
BTW
If you like to continue this discussion I would appreciate it, if you
will do it on the ipsec list, It may encourage others to join the
discussion.
regards
Moshe Litvin
--
-----------------------------------------------------------------------
Moshe Litvin Check Point Software Technologies Ltd.
moshe@checkpoint.com Tel: +972-3-753-4601 (972-3-753-4555)
Fax: +972-3-575-9256
-----------------------------------------------------------------------
Follow-Ups: