[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: New XAUTH draft
much snipped below...
---
Tim Jenkins TimeStep Corporation
tjenkins@timestep.com http://www.timestep.com
(613) 599-3610 x4304 Fax: (613) 599-3617
> -----Original Message-----
> From: Scott G. Kelly [mailto:skelly@redcreek.com]
> Sent: May 20, 1999 12:34 PM
> To: Stephane Beaulieu
> Cc: Glen Zorn; Waters, Stephen; ipsec@lists.tislabs.com
> Subject: Re: New XAUTH draft
Stephane said:
> > This provides a nice, easy migration path to those who would like to
> > eventually fully deploy IPSec with a PKI, but for now are
> limited to using
> > their existing infrastructures. XAUTH also ensures that
> these legacy system
> > transactions enjoy the full security that IPSec provides.
Scott replied:
> I don't quite agree with this. I do agree that integrating radius (and
> perhaps other "legacy" mechanisms) smoothes the transition to
> IPSec, but
> I have the feeling that making it too easy will breed
> complacency. Also,
> I think the statement about enjoying the "full security that IPSec
> provides" is questionable. These mechanisms add much in the way of
> complexity to IKE, and they basically reduce the authentication
> mechanism to a plain-language passphrase which probably isn't too hard
> to guess - meaning they *reduce* the security IPSec provides.
Are you perhaps mixing up XAUTH with the hybrid draft?
The only way XAUTH reduces the existing authentication of IKE is if
the sysadmin use pre-shared key authentication and share it everywhere
or set it to null (if that's even possible).
Hybrid, on the other hand, does allow one end to drop the existing forms
of authentication. But even then, the problem it's trying to solve does
have a place with customers.
Follow-Ups: