[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New XAUTH draft

To: ipsec@lists.tislabs.com
Subject: RE: New XAUTH draft
From: canetti <canetti@watson.ibm.com>
Date: Thu, 20 May 1999 11:33:15 -0400
Sender: owner-ipsec@lists.tislabs.com



I'd like to add a voice in favor of separating the legacy user
authentication mechanisms from IKE. There are several arguments
supporting this separation:

* First and foremost, IKE is hard to analyze and implement  correctly
as is. Adding modes and functionalities will only make it harder.
KISS (keep is simple and secure)!

* IKE/IPSEC is primarily meant for host-to-host protection. User
authentication seems to be best done on top of IKE/IPSEC,
not as a part of it.

* Having relatively simple and separate modules is a nice feature of the
IPSEC suite, as opposed to other, monolythic security protocols. Let's keep
it this way.


A seemingly "natural" alternative to XAUTH is to first do IKE, and then
complete the user authentication via the IPSEC-protected connection
(using either AH or ESP). Are there overwhelming arguments to not do it
this way, and break the modularity of IPSEC?


Ran

Prev by Date: Re: New XAUTH draft
Next by Date: Re: New XAUTH draft
Prev by thread: Re: New XAUTH draft
Next by thread: RE: New XAUTH draft
Index(es):
- Main
- Thread