[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI QUESTIONS: 2.3 Authentication styles

To: "Michael Richardson" <mcr@sandelman.ottawa.on.ca>, <ipsec@lists.tislabs.com>
Subject: RE: SOI QUESTIONS: 2.3 Authentication styles
From: "Darren Dukes" <ddukes@cisco.com>
Date: Tue, 25 Jun 2002 17:22:44 -0400
Importance: Normal
In-Reply-To: <200206212042.g5LKfvn04795@marajade.sandelman.ottawa.on.ca>
Reply-To: <ddukes@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

You are correct about XAUTH, but I was not suggesting XAUTH be used with
IKEv2.  What a legacy auth mechanism would permit is a SGW implementation
with a local definition of a PW similar in appearance to a shared secret.
While not being the same as a shared-secret it is likely similar enough for
vendors to use if they have customers requiring a human-readable secret be
distributed to many users/peers.

Darren


> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Michael Richardson
> Sent: Friday, June 21, 2002 4:42 PM
> To: ipsec@lists.tislabs.com
> Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "Darren" == Darren Dukes <ddukes@cisco.com> writes:
>     >> 2.3.B.)  Does SOI need to natively support some kind of "shared
>     >> secret" scheme?  (Or just certificates-only?)
>     Darren> Short answer: No but MUST support native legacy
> authentication if
>     Darren> shared secrets don't exist.
>
>   As far as I understand XAUTH, the need for shared secrets is
> simply to be
> able to get past the IKEv1 phase 1 exchange so that legacy auth
> can be done.
>
>   At no time does the legacy auth stuff get *used* as the shared secret.
>
>   (Radius doesn't support returning the "password" to the gateway
> machine, so
> you can't do things that way, and there is no password for lots
> of systems)
>
>   So, XAUTH could have just as easily defined a group-shared RSA private
> key, or SOI could define a single direction authentication system
> (gateway->client).
>
>   If possible, I'd like to see reuse of the SecSH userauth
> protocol, carried
> in SOI's phase1 instead.
>
> ]       ON HUMILITY: to err is human. To moo, bovine.           |
>  firewalls  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON
> |net architect[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/
> |device driver[
> ] panic("Just another NetBSD/notebook using, kernel hacking,
> security guy");  [
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: latin1
> Comment: Finger me for keys
>
> iQCVAwUBPROPkIqHRg3pndX9AQHP4QQAhTH/M58nGvi1QWBU/4uxRRTXvPFbK+Y6
> BCRJkmJRZszgivg8d04ycsEp/pDZnxzOu9eDwCY1JLgtNeZBpK2b4v/kU0NPD8og
> Ws1qjCE0CvT4IsoT4Jf1ovC7FyF5C+MyGankz85YJUf0yYH4BJyIBRoqZ7GsmL9y
> 8teUfPA3ZCA=
> =eVBT
> -----END PGP SIGNATURE-----

References:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: SOI QUESTIONS: 3.4 - 4.3
Next by Date: M-ID replaced by zero in QM Hash(3) of RFC 2409
Prev by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread