[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft



  There are two possibilities here. You do XAUTH with an IKE SA that's
been authenticated in a standard, secure way, or you do it using an IKE
SA that's been authenticated with a shared group key. 

  If the former then you're building and maintaining two infrastructures, 
one for a PKI and another for some other authentication technique (like 
radius). That's pointless. Certificates can give you user authentication
so there is no reason to maintain the infrastructure required for radius.
The XAUTH step would provide no more authentication and would just be
an additional burden on the user (yet another dialog box asking for 
information).

  More likely it's the latter. IT managers have an investment in their
existing authentication scheme and don't want to throw it away. Likewise
they don't want to double their burden. So the solution they buy uses
group key authentication for IKE and their existing authentication scheme
in XAUTH. 

  The only problem is that the authenticity of the keys used in IPSec are 
derived from IKE's SKEYID state and that is not authenticated when you
use a group key that everybody shares. This is alluded to in the Security
Considerations section of the draft. In effect, it's saying for XAUTH
to be secure (i.e. not use a group shared key) it must be extraneous.

  Dan.

On Thu, 20 May 1999 15:47:52 EDT you wrote
> Or, you could put a certificate on a kiosk PC and make the (multiple) users
> use extended authentication for the system to figure out who they are.
> 
> In the long run, yes, those users will have their certs on a token.
> 
> But for now, XAUTH solves real problems that customers are having today, so
> XAUTH is not pointless.
> 
> Finally, just because XAUTH with pre-shared keys is possible, it doesn't
> mean you have to implement it. Have your system do only certificates with
> XAUTH if you like.
> 
> ---
> Tim Jenkins                       TimeStep Corporation
> tjenkins@timestep.com          http://www.timestep.com
> (613) 599-3610 x4304               Fax: (613) 599-3617


Follow-Ups: References: