RE: Re[2]: PPP over IPSec (without L2TP)?

[Pyda Srisuresh <srisuresh@yahoo.com>]

--- Stephen Kent <kent@bbn.com> wrote:
<... stuff deleted>
> 
> The statement about user vs. machine authentication is incorrect, and
> consistent with the misunderstanding of IPsec expressed by some of the L2TP
> partisans.  If you read RFC 2401 carefully you will note that IPsec
> supports individual user authentication, in both modes.
> 

User vs. Machine authentication is really a key management protocol 
issue (i.e., IKE) - somewhat orthogonal to IPsec architecture (RFC 2401).

However, I do agree with Steve that there is a lot of misunderstanding 
on the issue of User vs. Machine authentication. IKE does not restrict
from having multiple phase-I SAs between the same pair of SecGW nodes, 
one SA for each user that wishes to authenticate from his/her 
local GW to remote gateway. It is not necessary to perform the authentication
in 2 phases - i.e., device-to-device authentication, followed by user-to-device
authentication.

The reason we have the XAUTH and HYBRID-AUTH drafts out is because IKE
mandates symmteric forms of authentication and that is lot harder to 
accomplish with legacy systems. XAUTH tries to solve the problem by
doing the authentication in 2 phases - Symmetric authentication between
devices, followed  by user authentication. HYBRID authentication solves 
the problem by allowing asymmetric authetications in the IKE protocol.

Hope this helps clarify the misunderstanding. Thanks.

> Steve
> 

cheers,
suresh

=====

__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com

---

Follow-Ups:

• RE: Re[2]: PPP over IPSec (without L2TP)?
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: RE: comments on the latest GSSAPI draft changes
• Next by Date: RE: SA bundle negotiation
• Prev by thread: Re[4]: PPP over IPSec (without L2TP)?
• Next by thread: RE: Re[2]: PPP over IPSec (without L2TP)?
• Index(es):
  • Main
  • Thread