[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New XAUTH draft
Pyda,
>
>For a remote access user, there is a link level authentication done in PPP
>(or other variations thereof, such as L2TP), subsequent to which access
>control
>is assigned to the user, for the duration of that user connectivity.
IPsec does not require use of a link level auth mechanism, although some
folks do employ such mechanisms. Also, because there are no standards for
the link level access control (to complement the link level auth), I don't
advise clients to use such mechanaisms.
>For a secure remote access, the user needs to additionally authenticate
>himself/herself once again over the UDP to gain access controls for security.
>This IKE authentication is different from the PPP authencation
>and the security access controls assigned during Quick Mode also
>take a different tack than the PPP access controls.
This is the L2TP approach. which is NOT the Ipsec approach. One thing
should be clear in this debate: L2TP, when employed with IPsec, looses some
of the IPsec functionality. We are debating how to provide user auth for
IPsec and that does not imply use of IPsec with L2TP; we need to address
native use of IPsec.
>> If another protocol is employed to veriy user identity,
>> then one creates a more complex interdependence between IPsec and the other
>> protocol, right?
>>
>I dont believe, it is so much the case of another protocol to verify user
>identity - rather extend IKE to support other forms of authentication.
If IKE is extended, then you are correct. But others have suggested not
extending IKE, which leads to the problem I alluded to above.
Steve
References: