[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Using Legacy Authentication for IPSRA (was : xauth requiremen ts: vulnerabilities)



John,

Your taxonomy is a nice one, but I think another way to view this issue is
to remember that the primary reason for authentication in IPsec is as input
to an iddentity-based access control decision that is enforced by the IPsec
receiver.  RFC 2401 defines a set of ID forms for use in the SPD, and they
define the types of principles to which access is granted.  This includes
both devices (based on IP address or DNS name or DN) and people (based on
RFC822 name or DN).  [Often there is an assumption that if one
authenticates an end system, and it is a single user end system, then there
is a one-to-one mapping to a specific user, even if that mapping is not
expressed in the SPD by the choice of name form.] IPsec does not support
authentication of a compound principle, or of a user and a system
independently.  It would not sense to do so unless there was a
corresponding SPD entry type for compound principles.

Steve

P.S.  I avoid using the term "client" with IPsec as the protocols do not
have clients and servers.  We have end systems and security gateways.


Follow-Ups: