[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about Extended Authentication in IKE

To: Waters Stephen <stephen.Waters@cabletron.com>, ipsec@tis.com
Subject: RE: Question about Extended Authentication in IKE
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Mon, 22 Feb 1999 08:35:17 -0500
Sender: owner-ipsec@ex.tis.com

To address scalability and not use pre-shared keys, you could use one of the
hybrid authentication mechanisms described in
<draft-ietf-ipsec-isakmp-hybrid-auth-01.txt>.

This allows the gateway (the responder) to have a certificate, and be
authenticated using that. The client (the initiator) would use extended
authentication to be authenticated by the gateway.

While the client implementation still has to know how to deal with
certificates, it does not actually have to have certificates, allowing
remote users to be authenticated using only (perhaps existing) legacy
mechanisms. Distribution and management of client certificates becomes
unnecessary.

---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617



> -----Original Message-----
> From: Waters Stephen [mailto:stephen.Waters@cabletron.com]
> Sent: Monday, February 22, 1999 5:21 AM
> To: ipsec@tis.com
> Subject: Question about Extended Authentication in IKE
> 
> 
> An extract from the draft :
> "This protocol can therefore be used in conjunction with any 
> existing basic
> ISAKMP authentication method as defined in [IKE]. If mutual 
> authentication
> is not required, then the phase 1 negotiation SHOULD use an 
> authentication
> method of shared-secret and have that shared-secret be null. This, is
> however, NOT suggested since the edge-device is NOT authenticated. 
> This authentication MUST be used after a phase 1 exchange has 
> completed and
> before a phase 2 exchange. The Transaction exchange is 
> therefore attached
> (appended) to the phase 1 exchanges (MainMode, AggressiveMode). If the
> extended authentication fails, then the phase 1 SA MUST be deleted."
> 
> Hi,
> If I want to use RADIUS to scale my IPSEC remote access, I 
> could use IKECFG
> messages to do that.  Since the draft suggests that NULL Phase-1
> authentication is "NOT suggested",  then the problem is how 
> to scale the
> Phase-1 authentication?
> Assuming I still use pre-sharded secret, then I would HAVE to use
> Aggresvice-mode, AND have a way of finding the appropriate 
> pre-shard secret
> for each client.  Can I use this same mechanism to retrieve 
> pre-sharded
> secret information (which I may cache I guess)?
> If I went for signature authentication (certificates), why 
> should I consider
> using any other form of authentication?
> Cheers, Steve.
> 
> 
> *	Stephen Waters
> 		Cabletron Systems Ltd. - R&D
> 		Unit 1, Heron Industrial Estate
> 		Basingstoke Road, Spencers Wood
> 		Reading, Berkshire, RG7 1PJ
> 
> *	External number:  +44 118 988 0024
> 	Internal extension:  12024
> 	External fax: +44 118 988 0001
> 
> *	Stephen.Waters@ctron.com
> 
>

Prev by Date: Question about Extended Authentication in IKE
Next by Date: Re: Bridging non-IP traffic over IPSec
Prev by thread: Question about Extended Authentication in IKE
Next by thread: Re: (IPng 7212) RE: Last Call: Mobility Support in IPv6 to Proposed Standard
Index(es):
- Main
- Thread