[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New XAUTH draft

To: Dan Harkins <dharkins@network-alchemy.com>
Subject: RE: New XAUTH draft
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Thu, 30 Sep 1999 23:19:32 +0100
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com


>Stop moving that bar!

>The client is presumed to be coming from an unknown IP address so it's
>difficult to have multiple pre-shared keys on the gateway because he
>won't know which one to use. But even if you do find some way (aggressive
>mode using ID_KEYID with some blob there which says "use pre-shared key
>foo" for instance) you still have the burden of maintainance of the 
>multiple pre-shared key sets and managing who goes into what set. That
>becomes very Rube Goldbergian and still does not overcome the fact that 
>any member in a set can snoop traffic or inpersonate any other member of 
>the set.

This can be done in a straight forward way using the tunnel additions to
RADIUS.
Also, the clients can only snoop or impersonate if they have the
authentication material needed to get past xauth as well.

Steve.

Prev by Date: Re: anti-replay protection without IKE
Next by Date: RE: New XAUTH draft
Prev by thread: RE: New XAUTH draft
Next by thread: RE: New XAUTH draft
Index(es):
- Main
- Thread