[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: l2tp as ipsra solution

> > As for tunneling, IPsec tunnel mode is more efficient than
> L2TP+IPsec
> > transport mode. I don't think that tunneling  non-IP
> protocols is in the
> > scope of this working group, so the ability of L2TP to tunnel non-IP
> > protocol is irrelevant.
> So "remote access" is defined narrowly as "remote access to IP-based
> networks"?

In the context of ipsra - yes! (ipsra = IP Security Remote Access)

> >
> > As for legacy authentication, it was already noted that
> > authenticated IPsec
> > keys must exist before the PPP authentication. Some have
> > suggested the idea
> > of machine keys used to authenticate IKE exchanges, and then a
> > separate step
> > of authenticating the user. The main benefit of this
> separation is that we
> > can easily solve this problem. But the general case there
> is no separation
> > between machine and human credentials.
> So "remote access to IP-based networks" does not include e.g.
> a dial on
> demand connection from a router on a home office network to a
> central office
> network?

The question has two answers:

1. Remote access does not equal dial-up. I think that the problems of remote
access are mainly from the way human interacts with the system then the way
the machine connection to the internet is established. The problem of a user
using dial up and of a user uses a cable modem which is connected 100% of
the time are more similar than a dial-up user and dial on demand router.

2. From the charter of the workgroup "The authenticated entity must be a
human user, i.e. human interaction is required during the authentication

> >
> > A different solution to this problem is to use the hybrid
> mode to create
> > one-way authentication to the IPsec keys, and then use PPP
> authentication.
> > This solution is forbidden according to the charter, but if we
> > don't want to
> > use it (or something similar) the PPP authentication abilities
> > are useless.
> I see. So "User authentication" is useless?  Why are we talking, then?

I didn't say the user authentication is useless. But the user user
authentication of PPP in the combination L2TP+IPsec is done AFTER the SA are
established. If a complete authentication was done in IKE then farther
authentication is useless. If no authentication (or weak authentication) was
done in IKE, then the PPP authentication is open to attacks, so it is
useless (or at least have VERY limmited use).

There is a way to do the server authentication in IKE and the user
authentication in PPP. But unfortunatly this method does not appear in the
IKE RFCs and quoting again from the charter "The WG strongly prefers
mechanisms that require no changes to AH, ESP or IKE protocols. If such
changes are deemed necessary, the IPSec WG is contracted to carry out such
changes" (by mistake I wrote the the charter forbeeds changes. I am glad to
see that that it does not.)