[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft



"Waters, Stephen" wrote:
> 
> Yes, I have a comment [on ISAKMP XAUTH].  A number of the authentication
> methods expressed here require the edge device to understand which
> authentication method is needed in advance of receiving the 'user name' from
> the remote peer.

I would add that *all* of the authentication methods require the edge
device to understand their respective protocols. Translation? Oodles of
added complexity to our (secure?) key exchange protocol. Godzillakmp.

> This seems limiting to me.  Since it is likely that a these 'legacy'
> authentication methods are being used with RADIUS, wouldn't it be simple to
> re-use EAP and EAP extensions to RADIUS?
> 
> This would allow the 'edge device' to be ignorant of the authentication
> required, or the process needed to enact it. This saves complication in the
> 'edge' device, allows central control of authentication policy and higher
> granularity on user/authentication mapping.
> 

<trimmed...>

Perhaps this gets to the heart of it. What is the compelling argument
for adding such complexity to the security device in order to support
these legacy authentication methods? Shouldn't we instead be trying to
move people toward PKI and other such mechanisms, rather than
encouraging the continued use of text passwords/phrases? 

Scott


Follow-Ups: References: