[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic IKE authentication question




At 03:08 PM 12/30/98 -0500, Ramon Hontanon wrote:
>What are the available options for peer authentication before an IPsec
>tunnel can be established? I suspect that they are:
>
>- Pre-shared keys (i.e. some string that both peers agree upon in advance)
>- X.509 certs from a Certificate Authority
>
>But how about:
>
>- Unverified public key exchange (like ssh)
>- Manual distribution of public keys (Cisco's IKE implementation)

... and don't forget:

- password-authenticated key exchange (like EKE, SPEKE, SRP)

This is like "pre-shared keys", but stronger in case
the key is small or brute-forcable.

-- dpj

-------------------------
David P. Jablon
Integrity Sciences, Inc.
dpj@world.std.com
<http://world.std.com/~dpj/>
+1 508 898 9024