Authentication Mechanism Matrix (was L2TP vs IPSEC)

[Ben McCann <bmccann@xxxxxxxxxxxxxx>]

> XAuth, when used in non-Hybrid mode, will authenticate both the user and the
> machine. What is the proposal for doing this with user certs? Sign with
> both?

Separate user and machine certificates was not my requirement but I
can see why it would be attractive. (Recall the mail from 'John Deere').
I assume you would have to sign with both because how else do prove
possession of _both_ private keys? The second round of signatures
certainly breaks XAUTH as currently defined.

Its moot anyway because XAUTH isn't an acceptable IPSRA solution.


This raises the question of what are the authentication requirements?
My requirements, by entity, are:

Gateway Authentication
    Certificate

Remote User' Machine Authentication
    None
    Certificate

Remote User (Person) Authentication
    Password
    Challenge/Response
    Token Card (such as Secure ID)
    Certificate (SmartCard of some kind?)

Within these sets, I would require support for all permutations of gateway,
user machine, and user (person) authentication algorithms. Some examples:

	Gateway		Remote Machine	    Remote User
	-------		--------------	    -----------
	Certificate	None		    Password	    (hybrid-auth)
	Certificate	Certificate	    Password	    (XAUTH or L2TP)
	Certificate	Certificate #1	    Certificate #2  (?????)

Note that I did not include pre-shared keys as a requirement for a remote
access scenarios. Other's may wish to add them to the list. 

-Ben McCann

-- 
Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@xxxxxxxxxxxxxx           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111