[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reliable delete notifies

To: Ben McCann <bmccann@indusriver.com>
Subject: Re: Reliable delete notifies
From: Derek Atkins <warlord@mit.edu>
Date: 09 Oct 2000 11:33:07 -0400
Cc: sommerfeld@East.Sun.COM, ipsec <ipsec@lists.tislabs.com>
In-Reply-To: Ben McCann's message of "Mon, 09 Oct 2000 11:12:57 -0400"
References: <200010091454.e99EsAl135935@thunk.east.sun.com> <39E1E079.F130108D@indusriver.com>
Sender: owner-ipsec@lists.tislabs.com

Personally, I don't see what's so hard about using e.g. RSA for
authentication.  It is no harder to setup an RSA-based infrastructure
than it is to create a shared-secret infrastructure.  Indeed, I think
it is easier.

You don't need a full-blown PKI for an IPSec VPN.  All you need to do
is have your VPN 'client' machines generate a keypair, and then
'authentically' install that certificate in some 'database' based on
their userID.  Linux's FreeS/WAN does this fairly easily, for example.
You don't need signed certificates.  Treat them just like shared
secrets (which you seem to be able to handle already).  Instead of
assigning a password (shared secret) to an account, you assign an RSA
public key.  Just treat them the same for account provisioning.

So, what's the problem?

-derek

Ben McCann <bmccann@indusriver.com> writes:

> Bill Sommerfeld wrote:
> > 
> >    Is Aggressive Mode "standards bloat"
> > 
> > Yes.
> > 
> >    or is it a necessary addition to do what Ben wants to do?
> > 
> > It appears that what Ben wants to do is to use shared secret
> > authentication by "identity" rather than ip address.  it should be
> > possible to do this with main mode; we should figure out how to tweak
> > Main Mode to make this possible.
> 
> Correct. As Jan Vilhuber so eloquently pointed out, our customers
> want remote access IPSEC VPN's without the hassle of deploying
> a PKI. Aggressive mode provides a viable (IMHO) solution for
> remote access with identities other than IP addresses using
> pre-shared keys for authentication.
> 
> Other options for remote access without _requiring_ certs are:
> 
> - XAUTH with a group pre-shared key.
> 
> - XAUTH with Hybrid Auth.
> 
> - IPSRA temporary certificates.
> 
> The XAUTH solutions, while available today from a number of vendors,
> are not on the standards track and the third IPSRA option is far from
> any interoperability testing, much less deployment.
> 
> So, until IPSRA defines its remote access protocols and they are
> implemented, Aggressive Mode is the only standards track interoperable
> method to do remote access without mandating adoption of a PKI as a
> pre-requisite for deploying a VPN.
> 
> -Ben McCann
>  
> -- 
> Ben McCann                              Indus River Networks
>                                         31 Nagog Park
>                                         Acton, MA, 01720
> email: bmccann@indusriver.com           web: www.indusriver.com 
> phone: (978) 266-8140                   fax: (978) 266-8111

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: Reliable delete notifies

From: Michael Richardson <mcr@solidum.com>

References:

Re: Reliable delete notifies

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Re: Reliable delete notifies

From: Ben McCann <bmccann@indusriver.com>

Prev by Date: Re: Reliable delete notifies
Next by Date: Re: Reliable delete notifies
Prev by thread: Re: Reliable delete notifies
Next by thread: Re: Reliable delete notifies
Index(es):
- Main
- Thread