Re: SOI QUESTIONS: 2.3 Authentication styles

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Darren" == Darren Dukes <ddukes@cisco.com> writes:
    >> 2.3.B.)  Does SOI need to natively support some kind of "shared
    >> secret" scheme?  (Or just certificates-only?)
    Darren> Short answer: No but MUST support native legacy authentication if
    Darren> shared secrets don't exist.

  As far as I understand XAUTH, the need for shared secrets is simply to be
able to get past the IKEv1 phase 1 exchange so that legacy auth can be done.

  At no time does the legacy auth stuff get *used* as the shared secret.

  (Radius doesn't support returning the "password" to the gateway machine, so 
you can't do things that way, and there is no password for lots of systems)

  So, XAUTH could have just as easily defined a group-shared RSA private
key, or SOI could define a single direction authentication system
(gateway->client).

  If possible, I'd like to see reuse of the SecSH userauth protocol, carried
in SOI's phase1 instead.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPROPkIqHRg3pndX9AQHP4QQAhTH/M58nGvi1QWBU/4uxRRTXvPFbK+Y6
BCRJkmJRZszgivg8d04ycsEp/pDZnxzOu9eDwCY1JLgtNeZBpK2b4v/kU0NPD8og
Ws1qjCE0CvT4IsoT4Jf1ovC7FyF5C+MyGankz85YJUf0yYH4BJyIBRoqZ7GsmL9y
8teUfPA3ZCA=
=eVBT
-----END PGP SIGNATURE-----