[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New XAUTH draft

To: ipsec@lists.tislabs.com
Subject: RE: New XAUTH draft
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Fri, 21 May 1999 14:15:05 +0100
Sender: owner-ipsec@lists.tislabs.com


...and another thing... Since you guys in the US get the last say, I take my
opportunity to have the first :)


Phase-1 authentication (as we know) should give us mutual authentication. If
legacy authentication is used with IKE-XAUTH, we expect that Pre-Shared is
used for Phase-1, and that the pre-shared secret is 'common knowledge' or
null.

Well, the problem here is that a 'common knowledge' pre-shared secret is not
much of a secret at all, and what you are left with is one-way
authentication care of IKE-XAUTH.

Since RADIUS is probably involved in this picture, and there are 'tunnel'
RADIUS attributes to play with now, why not just use RADIUS to retrieve a
per-user pre-shared secret?

This gives the following options:

1) use just per-user pre-shared and no IKE-XAUTH
2) use per-user pre-shared and per-user token/OTP etc..
3) as for 1) and 2), but with group pre-shared secret (better than global or
NULL)

The recommendation to customers would then be:

1) take the pain and do PKI
2) use RADIUS servers that support tunnel attributes and use per-user
pre-shared
3) use 2) plus whatever Legacy stuff you're hooked on.

Cheers, Steve.

Prev by Date: Re: New XAUTH draft
Next by Date: RE: New XAUTH draft
Prev by thread: RE: New XAUTH draft
Next by thread: RE: New XAUTH draft
Index(es):
- Main
- Thread