[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reliable delete notifies
Personally, I don't see what's so hard about using e.g. RSA for
authentication. It is no harder to setup an RSA-based infrastructure
than it is to create a shared-secret infrastructure. Indeed, I think
it is easier.
You don't need a full-blown PKI for an IPSec VPN. All you need to do
is have your VPN 'client' machines generate a keypair, and then
'authentically' install that certificate in some 'database' based on
their userID. Linux's FreeS/WAN does this fairly easily, for example.
You don't need signed certificates. Treat them just like shared
secrets (which you seem to be able to handle already). Instead of
assigning a password (shared secret) to an account, you assign an RSA
public key. Just treat them the same for account provisioning.
So, what's the problem?
-derek
Ben McCann <bmccann@indusriver.com> writes:
> Bill Sommerfeld wrote:
> >
> > Is Aggressive Mode "standards bloat"
> >
> > Yes.
> >
> > or is it a necessary addition to do what Ben wants to do?
> >
> > It appears that what Ben wants to do is to use shared secret
> > authentication by "identity" rather than ip address. it should be
> > possible to do this with main mode; we should figure out how to tweak
> > Main Mode to make this possible.
>
> Correct. As Jan Vilhuber so eloquently pointed out, our customers
> want remote access IPSEC VPN's without the hassle of deploying
> a PKI. Aggressive mode provides a viable (IMHO) solution for
> remote access with identities other than IP addresses using
> pre-shared keys for authentication.
>
> Other options for remote access without _requiring_ certs are:
>
> - XAUTH with a group pre-shared key.
>
> - XAUTH with Hybrid Auth.
>
> - IPSRA temporary certificates.
>
> The XAUTH solutions, while available today from a number of vendors,
> are not on the standards track and the third IPSRA option is far from
> any interoperability testing, much less deployment.
>
> So, until IPSRA defines its remote access protocols and they are
> implemented, Aggressive Mode is the only standards track interoperable
> method to do remote access without mandating adoption of a PKI as a
> pre-requisite for deploying a VPN.
>
> -Ben McCann
>
> --
> Ben McCann Indus River Networks
> 31 Nagog Park
> Acton, MA, 01720
> email: bmccann@indusriver.com web: www.indusriver.com
> phone: (978) 266-8140 fax: (978) 266-8111
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: