[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hybrid Authentication and Remote Access
On Thu, 16 Jul 1998 14:19:50 -0700, Scott G. Kelly wrote:
>I wasn't planning on commenting on this until I'd had a bit more time to
>review it, but so long as you're bringing it up, I will voice one
>criticism of the hybrid-auth draft: ISAKMP Notify messages are ONE-WAY.
>You are using them for a 2-way exchange. This is a hack.
I agree that it is a hack, not because of the one-way nature of the
notify message, but because the hybrid mode uses them to transfer
specific information with specific format, and in a perfect protocol
it should deserve a payload type of it's own.
> Read the other drafts.
I read them. From where do you think that I got the idea of using the
notify payload for challenge response? (read for example
ISAKMP/XAUTH).
> Hacking your enhancements into the protocol is ridiculous and
>unjustified, given that the working group is entering another round in
>which such modifications may be properly implemented if appropriate.
In general I agree with you. The problem is that while the future of
ISAKMP is the full public key modes, in the present there are large
installation bases of challenge/response tokens. Thus waiting for the
next phase of the ipsec to add more notification types to is missing
the point of providing a solution in the near future.
>
>Aside from that criticism, I agree that there is a need for such a
>mechanism, and that this proposal meets that need in one way, and Roy's
>isakmp-xauth proposal meets it in others. It's certainly worthy of
>continued discussion.
>
Regards,
Moshe Litvin
Follow-Ups:
References: