[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: mcr@sandelman.ottawa.on.ca, ipsec@lists.tislabs.com, ietf-ipsra@vpnc.org
Subject: Re: New XAUTH draft
From: "Roy Pereira" <rp96@hotmail.com>
Date: Thu, 30 Sep 1999 21:50:53 EDT
Sender: owner-ipsec@lists.tislabs.com

I've heard this "hybrid vs. XAUTH" thing a couple of times now and I would 
like to dispel it.  As Tamir would probably agree, Hybrid isn't a competitor 
to XAUTH and it isn't one or the other, they are complementary.  XAUTH is 
actually used within Hybrid.  XAUTH uses the already established 
authentication mechanisms of IKE while Hybrid establishes its own "hybrid" 
authentication schemes.  Hybrid is invaluable when only the server has a 
certificate and the client does not.  For the actual legacy authentication 
process, Hybrid uses XAUTH.

I guess the question for this thread is should XAUTH be allowed with shared 
secret authentication or should it mandate that it only be used with 
certificate-based authentication (RSA/enc, RSA/sig & DSA/enc) ?

>From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
>To: ipsec@lists.tislabs.com, ietf-ipsra@vpnc.org
>Subject: Re: New XAUTH draft
>Date: Thu, 30 Sep 1999 21:04:18 -0400
>
>
> >>>>> "Tamir" == Tamir Zegman <zegman@checkpoint.com> writes:
>     Tamir> Actually I think I can give you such an attack.  Assume that 
>paul
>     Tamir> and Daniel have the same shared key to connect to Security 
>Gateway
>     Tamir> (SG).  Daniel can mount a simple man in the middle attack - 
>When
>     Tamir> Paul tries to connect to SG, Daniel spoofs the SG and
>
>   No need for IPsec to do this attack.
>
>   This attack was demonstrated years ago on multiple token authentication
>systems used to "secure" telnet connections. This attack is inherent in
>token authentication systems that only authenticates only the client to the
>server, and not the server to the client.
>   There are challenge/response systems (some can involve tokens) that do
>not have this property that XAUTH could mediate.
>
>   Dan, I have a question (even though I've been trying hard to delete 
>every
>message that says "XAUTH" or "Hybrid" in it), do *you* prefer hybrid to 
>XAUTH?
>
>] Train travel features AC outlets with no take-off restrictions|  
>firewalls  [
>]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net 
>architect[
>] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device 
>driver[
>] panic("Just another NetBSD/notebook using, kernel hacking, security 
>guy");  [

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Prev by Date: Re: New XAUTH draft
Next by Date: RE: New XAUTH draft
Prev by thread: Re: New XAUTH draft
Next by thread: RE: New XAUTH draft
Index(es):
- Main
- Thread