Re: User-level Authentication Mechanisms for IPsec

[Ari Huttunen <Ari.Huttunen@xxxxxxxxxxxxxxx>]

"Scott G. Kelly" wrote:

>
> > How is this IKE SA authenticated?
> > Since you do not encourage the use of pre-shared keys(I don't either), I
> > assume you authenticate the IKE SA using certificates (or some other
> > strong method of authentication based on GSS API).
> > If this is the case, you are very close to being able to deploy user
> > certificates.
> > In which case, in my opinion, you do not need to support legacy
> > authentication systems.
>
> I don't encourage the use of preshared keys, but I recognize that there
> are organizations which may require their use, so I won't rule them out
> completely. You are correct in that I typically do not recommend them.
> During the transition process, I think a hybrid technique (like CRACK)
> may be appropriate for authenticating the IKE SA, as well as stronger
> methods.
>
> The draft discusses the notion that even if there were a ubiquitous PKI,
> passwords would probably still be required. I don't think they'll ever
> go away completely.
>
> Scott

I fail to see why your draft would be needed if something like CRACK
is being used. Could you enlighten me?

--
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

Data Fellows Corporation       http://www.DataFellows.com

F-Secure products: Integrated Solutions for Enterprise Security