Re: [Fwd: New XAUTH draft]

["Roy Pereira" <rp96@xxxxxxxxxxx>]

Again, I fail to understand what this has to do with XAUTH.  You would have 
the same problem if you were stupid enough to use the same shared secret for 
a large group of people in a real working environment, with or without 
XAUTH.  XAUTH can be used with shared secrets or with the more secure 
certificate mechanisms.

Just because you want to use your existing RADIUS authentication server, 
doesn't mean that you forgo your phase security.

btw: 'Hybrid' addresses those scenarios where you do not wish to establish 
the normal IKE phase 1 security contexts.


> From: Tamir Zegman <zegman@xxxxxxxxxxxxxx>
> To: ipsec@xxxxxxxxxxxxxxxxx
> Subject: [Fwd: New XAUTH draft]
> Date: Thu, 30 Sep 1999 23:05:43 +0200
>
>  
>
> Dan Harkins wrote:
> < trimmed >
>
> >  
> > The client is presumed to be coming from an unknown IP address so it's
> > difficult to have multiple pre-shared keys on the gateway because he
> > won't know which one to use. But even if you do find some way 
> (aggressive
> > mode using ID_KEYID with some blob there which says "use pre-shared key
> > foo" for instance) you still have the burden of maintainance of the
> > multiple pre-shared key sets and managing who goes into what set. That
> > becomes very Rube Goldbergian and still does not overcome the fact that
> > any member in a set can snoop traffic or inpersonate any other member of
> > the set.
> >
> >   Dan.
>
> On top of what Dan said, consider an employee who was just sacked.
> You now need to modify the pre-shared key used by the set of users he used 
> to
> belong to.
> You'll need to notify (in a secure manner) all members of the group and 
> give
> them the new group secret!
>  

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com