[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: kent@po1.bbn.com (Stephen Kent)
Subject: Re: New XAUTH draft
From: Pyda Srisuresh <suresh@livingston.com>
Date: Thu, 20 May 1999 07:01:49 -0700 (PDT)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <v04020a04b3690008a10d@[128.33.238.64]> from "Stephen Kent" at May 19, 99 07:59:45 pm
Sender: owner-ipsec@lists.tislabs.com

> 
> Glen,
> 
> If I use a certificate in IKE that attests to my user name, not the name or
> address of my computer, then I am doing user authentication.
> 
Yes, I agree.

> You may have a point that IKE, given its existing complexity, is  an
> unfortunate place to add other forms of user auth, but please don't say
> that it does not provide user auth under the right (existing)
> circumstances.
> 
Sure, IKE is limited in the authentication mechanisms it supports.
But, I dont believe, it is an unfortunate place to add other forms
of user authentication.

> Also, because IPsec involves access control as a basic security service, if
> the SPD entries take the form of user names, then it is preferable that IKE
> be able to verify user identity, in order to support the access control
> features of IPsec.  

Yes, I agree.

Note however, the access control mechanism in IKE is also primitive and 
cumbersome.  By that, I mean you cannot have more than one policy rule per SA 
and that rule is not granular enough to cover all access controls you wish
to include for an SA. 

For a remote access user, there is a link level authentication  done in PPP
(or other variations thereof, such as L2TP), subsequent to which access control 
is assigned to the user, for the duration of that user connectivity. 

For a secure remote access, the user needs to additionally authenticate 
himself/herself once again over the UDP to gain access controls for security. 
This IKE authentication is different from the PPP authencation
and the security access controls assigned during Quick Mode also
take a different tack than the PPP access controls.

>                     If another protocol is employed to veriy user identity,
> then one creates a more complex interdependence between IPsec and the other
> protocol, right?
> 
I dont believe, it is so much the case of another protocol to verify user
identity - rather extend IKE to support other forms of authentication.

> Steve
> 

Have a nice day.

cheers,
suresh

Follow-Ups:

Re: New XAUTH draft

From: Stephen Kent <kent@bbn.com>

References:

Re: New XAUTH draft

From: Stephen Kent <kent@po1.bbn.com>

Prev by Date: Re: New XAUTH draft
Next by Date: Re: New XAUTH draft
Prev by thread: Re: New XAUTH draft
Next by thread: Re: New XAUTH draft
Index(es):
- Main
- Thread