Hi Ari,
> -----Original Message-----
> From: Ari Huttunen [mailto:Ari.Huttunen@xxxxxxxxxxxxxxx]
> Sent: Tuesday, October 26, 1999 12:33 AM
> To: Scott G. Kelly
> Cc: Tamir Zegman; ietf-ipsra@xxxxxxxx
> Subject: Re: User-level Authentication Mechanisms for IPsec
>
< snip >
>
> I fail to see why your draft would be needed if something like CRACK
> is being used. Could you enlighten me?
Both CRACK and XAUTH attempt user authentication within IKE.
I'm pretty sure that's not necessary and I'm not convinced it's
a good fit since user authentication has to play at the application
level. The ULA draft presents an alternative: use a protocol SA to
secure user authentication. Once authenticated (by any number of means,
of which some are legacy and others are coming down the pipe), modify
the SA selectors to permit access.
Most appealing is the separation of ULA from IKE and simple use of
IPSEC at lower layers. I find the separation appealing because
user authentication already takes many forms and has many uses
and I doubt we foresee all of these. So, I'd rather solve that
piece of the puzzle outside of IKE.
Regards,
Jim
>
> --
> Ari Huttunen phone: +358 9 859 900
> Senior Software Engineer fax : +358 9 8599 0452
>
> Data Fellows Corporation http://www.DataFellows.com
>
> F-Secure products: Integrated Solutions for Enterprise Security
>
>