[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Re[2]: PPP over IPSec (without L2TP)?
--- Stephen Kent <kent@bbn.com> wrote:
> Pyda,
>
> >User vs. Machine authentication is really a key management protocol
> >issue (i.e., IKE) - somewhat orthogonal to IPsec architecture (RFC 2401).
>
> RFC 2401 defines ID types that must be supported in the SPD, and which are
> aligned with IKE ID payload types. These ID types include X.500 DNs, that
> can certainly be used to identify users, and RFC 821 names, which are
> specifically user IDs (vs. the DNS ID type, which is designated for
> machines). So I disagree with your assertion that this is purely a key
> management protocol issue.
Ah, I see where you are coming from. Sure, RFC 2401 does allow using
user-IDs to describe SPD. That is necessary, but not a sufficient
condition to support user-ID authentication. IKE is the one that
does the acutal user-ID authentication and hence provides the
sufficiency for user-ID support.
Further, We are not just talking about being able to use user-ID for
authentication, but the actual method of authenticating the user-ID.
I believe, the confusion about user-ID authentication arises not
because IKE does not support user-ID auth, but because it does not
support asymmetric and legacy authentication methods.
> I do agree that protocols such as XAUTH
> demonstrate a clear intent to authenticate users, not just machines, but
> IKE and 2401 make definite statements to that effect already.
>
I believe, XAUTH and HYBRID-AUTH drafts (a) demonstrate the need for
asymmetric and legacy authentication methods, and (b) attempt to address
these in different ways as extensions to IKE.
> Steve
>
regards,
suresh
=====
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com
Follow-Ups: