[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hybrid Authentication and Remote Access
> On Thu, 16 Jul 1998 14:19:50 -0700, Scott G. Kelly wrote:
>
> >I wasn't planning on commenting on this until I'd had a bit more time to
> >review it, but so long as you're bringing it up, I will voice one
> >criticism of the hybrid-auth draft: ISAKMP Notify messages are ONE-WAY.
> >You are using them for a 2-way exchange. This is a hack.
>
> I agree that it is a hack, not because of the one-way nature of the
> notify message, but because the hybrid mode uses them to transfer
> specific information with specific format, and in a perfect protocol
> it should deserve a payload type of it's own.
>
> > Read the other drafts.
>
> I read them. From where do you think that I got the idea of using the
> notify payload for challenge response? (read for example
> ISAKMP/XAUTH).
>
> > Hacking your enhancements into the protocol is ridiculous and
> >unjustified, given that the working group is entering another round in
> >which such modifications may be properly implemented if appropriate.
>
> In general I agree with you. The problem is that while the future of
> ISAKMP is the full public key modes, in the present there are large
> installation bases of challenge/response tokens. Thus waiting for the
> next phase of the ipsec to add more notification types to is missing
> the point of providing a solution in the near future.
Just want to add my 2 cents here. I want to make sure that whatever the
solution is adopted, it is not restricted to challenge/response algorithms
only and can support more sophisticated schemes like biometrics.
PatC
>
> >
> >Aside from that criticism, I agree that there is a need for such a
> >mechanism, and that this proposal meets that need in one way, and Roy's
> >isakmp-xauth proposal meets it in others. It's certainly worthy of
> >continued discussion.
> >
>
> Regards,
>
> Moshe Litvin
References: