Re: SOI QUESTIONS: 2.3 Authentication styles

[Ari Huttunen <Ari.Huttunen@f-secure.com>]

Theodore Ts'o wrote:
> Again, IPSEC working group --- please discuss:
> 
> 2.3.A.)  Does SOI need to natively support "legacy authentication
> systems"?
> 
> 2.3.B.)  Does SOI need to natively support some kind of "shared
> secret" scheme?  (Or just certificates-only?)
> 
> (Note. If SOI is provides cert-only, then one would need to use
> another protocol to bootstrap certificates from a legacy
> authentication or shared secret scheme.)

Legacy authentication is important, but I have a feeling that it would
be even more important to support "no authentication". I'm unhappy
with the fact that even though we've had IPsec for years, most of the
actual traffic in the Internet is not protected by it. We should try
to enable protecting all traffic, even though we can't force it.

As to the actual question at hand, I'd prefer SOI to have an integrated
method for doing legacy authentication, maybe similar to CRACK. I did
quite a lot of X-Auth implementing at one point, and it's biggest failures
were the inconvenient location at phase 1.5 of IKE, and the specifications
changing all the time. L2TP/IPsec is not the solution, because it requires
implementing two new protocol layers: L2TP and PPP, which could be fine
for VPN but probably not for other uses.

Answer to 2.3.B. is just a corollary of how the legacy authentication
can be graften onto SOI. If it doesn't require shared secrets but can
be done with self-signed certificates, all the better.

Ari


-- 

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise