[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: <ipsec@lists.tislabs.com>
Subject: Re: New XAUTH draft
From: "Jatinder Bali" <jbali@lucent.com>
Date: Thu, 20 May 1999 17:43:32 -0400
Organization: Lucent Technologies
References: <199905201904.MAA20447@potassium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

There is something we missed here when a response came for the first post of
this thread. I would like to bring that up again.

If the SG has to send the first packet for XAUTH then it can be configured
for only one auth type it knows about. This is severely restrictive as the
SG cannot support SecurId and local radius server database. I want to
propose that we discuss this in the light that some SG's may need to support
more than one auth method. To do this SG's dont need to know which auth
method is configured, but they simple pass the request from the client to
someone else to process it. Hence the term proxy :-)

I dont think that by doing 'A' form of XAUTH severely restricts or is a
burden on IKE. We have to do it somewhere and doing it before or after
(Phase1+Phase2) is definitely more complicated. We could never get it
resolved let alone implement it.

My proposal would be to do XAUTH after IKE Phase 1 and before IKE Phase 2
using some predefined payloads. We can define this and implement it in a
time that we can market an interopertable solution.

I don think we can say that these are legacy systems as 99% of user
authentication on the internet is done using some method other that
certificates. So is life and I think it is not going to change tommorrow.

Thanks.

References:

Re: New XAUTH draft

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: New XAUTH draft
Next by Date: Re: New XAUTH draft
Prev by thread: Re: New XAUTH draft
Next by thread: RE: New XAUTH draft
Index(es):
- Main
- Thread