Re: New XAUTH draft

[Glen Zorn <gwz@acm.org>]

On Tue, 18 May 1999, Scott G. Kelly wrote:

> "Waters, Stephen" wrote:
> > 
> > Yes, I have a comment [on ISAKMP XAUTH].  A number of the authentication
> > methods expressed here require the edge device to understand which
> > authentication method is needed in advance of receiving the 'user name' from
> > the remote peer.
> 
> I would add that *all* of the authentication methods require the edge
> device to understand their respective protocols. Translation? Oodles of
> added complexity to our (secure?) key exchange protocol. Godzillakmp.

An observation that many others have made, as well.  IKE is just not the
place to do user authentication.

> 
> > This seems limiting to me.  Since it is likely that a these 'legacy'
> > authentication methods are being used with RADIUS, wouldn't it be simple to
> > re-use EAP and EAP extensions to RADIUS?
> > 
> > This would allow the 'edge device' to be ignorant of the authentication
> > required, or the process needed to enact it. This saves complication in the
> > 'edge' device, allows central control of authentication policy and higher
> > granularity on user/authentication mapping.
> > 
> 
> <trimmed...>
> 
> Perhaps this gets to the heart of it. What is the compelling argument
> for adding such complexity to the security device in order to support
> these legacy authentication methods? 
> Shouldn't we instead be trying to
> move people toward PKI and other such mechanisms, rather than
> encouraging the continued use of text passwords/phrases? 
> 
> Scott
>

---

Follow-Ups:

• Re: New XAUTH draft
• From: Stephen Kent <kent@po1.bbn.com>

References:

• Re: New XAUTH draft
• From: "Scott G. Kelly" <skelly@redcreek.com>

---

• Prev by Date: RE: New XAUTH draft
• Next by Date: I-D ACTION:draft-ietf-ipsec-isakmp-xauth-04.txt
• Prev by thread: Re: New XAUTH draft
• Next by thread: Re: New XAUTH draft
• Index(es):
  • Main
  • Thread