[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comment on xauth and hybrid

To: ipsec@lists.tislabs.com
Subject: Comment on xauth and hybrid
From: Dennis Glatting <dennis.glatting@software-munitions.com>
Date: Tue, 13 Jul 1999 22:59:36 -0700 (PDT)
In-Reply-To: <Pine.BSI.3.91.990713201635.24672A-100000@spsystems.net>
Sender: owner-ipsec@lists.tislabs.com


I must first admit I had not read the xauth and hybrid drafts until
after the IPsec meeting where concerns were raised about weakening
IPsec by supporting legacy authentication systems. As a manager and
advisor of several enterprises I certainly understand the
"transitional" intent of these documents. In fact, I could easily be
one calling for their existence and demanding their implementation.
However, as that same manager and advisor I can confidently tell you
legacy systems, no matter their function, remain in-place and key
infrastructure components longer than they should.

The PKI reality is there isn't one, so shared secrets, I expect, will
be the IPsec authentication mechanism of choice until products mature
and prices decline. The difference between simple shared secrets and
xauth/hybrid is xauth/hybrid extends existing, seemingly easy to
manage, managed shared secret technologies yielding, in my opinion, no
motivation to improve the security of infrastructures (i.e.,
transition to PKI). Is this where we want to be after several years of
work and some cantankerous meetings?

Perhaps not using managed shared secret technologies but I look to the
SSL/TLS web reality of today as a crystal ball of the future of a
widely deployed xauth/hybrid IPsec. I do a fair amount of on-line
purchasing. For some ten sites I have, to my dismay, several user
identifiers and passwords housed in ten different databases managed by
staffs with ten different philosophies on security and skill sets. Not
once have I been prompted by my browsers for the password to decrypt
my private key. Not once. If these sites supported client side
certificates I would not have to create an identifier, divulge a
password, or write these things down on a piece of paper and tuck it
away in my wallet. Further, I remember reading about a survey by
Netcraft where only 5% of the web sites they queried offering server
side certificates offered valid certificates. My concern is
xauth/hybrid effectively reduce IPsec to the SSL/TLS reality of today
(i.e., we really haven't improved things).

I offer the following suggestions. First, finish a combined
xauth/hybrid draft and classify it as experimental. Second, the
Security Considerations section of the draft be written not by the
draft's proponents but by at least two of its detractors. Finally, set
a deadline (perhaps three years) where the PS is committed to
historic.

Follow-Ups:

Re: Comment on xauth and hybrid

From: Tamir Zegman <zegman@checkpoint.com>

References:

Re: new second mandatory IPsec cipher

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: parallel vpns
Next by Date: Re: new second mandatory IPsec cipher
Prev by thread: Re: new second mandatory IPsec cipher
Next by thread: Re: Comment on xauth and hybrid
Index(es):
- Main
- Thread