[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)



Well, that was basically my point. None of the recent proposals have dealt
with the issue of authenticating both user and machine.

Is this a requirement for ipsra? I haven't heard a lot of demand for it, but
there is that one recent e-mail, and it sounds like the kind of thing that
customers might expect in hindsight, but not ask for up front.

I have a hard time believing that we're going to accomplish this without
"changing IKE."

To be more precise, I should have asked: "What is the proposal for doing
this with user certs? Sign with both in MM5?"

Andrew
--------------------------------------
Beauty with out truth is insubstantial.
Truth without beauty is unbearable.


> -----Original Message-----
> From: Ben McCann [mailto:bmccann@xxxxxxxxxxxxxx]
> Sent: Thursday, June 15, 2000 3:35 PM
> To: andrew.krywaniuk@xxxxxxxxxxx
> Cc: 'IPSRA list'
> Subject: Authentication Mechanism Matrix (was L2TP vs IPSEC)
>
>
> > XAuth, when used in non-Hybrid mode, will authenticate both
> the user and the
> > machine. What is the proposal for doing this with user
> certs? Sign with
> > both?
>
> Separate user and machine certificates was not my requirement but I
> can see why it would be attractive. (Recall the mail from
> 'John Deere').
> I assume you would have to sign with both because how else do prove
> possession of _both_ private keys? The second round of signatures
> certainly breaks XAUTH as currently defined.
>
> Its moot anyway because XAUTH isn't an acceptable IPSRA solution.
>
>
> This raises the question of what are the authentication requirements?
> My requirements, by entity, are:
>
> Gateway Authentication
>     Certificate
>
> Remote User' Machine Authentication
>     None
>     Certificate
>
> Remote User (Person) Authentication
>     Password
>     Challenge/Response
>     Token Card (such as Secure ID)
>     Certificate (SmartCard of some kind?)
>
> Within these sets, I would require support for all
> permutations of gateway,
> user machine, and user (person) authentication algorithms.
> Some examples:
>
> 	Gateway		Remote Machine	    Remote User
> 	-------		--------------	    -----------
> 	Certificate	None		    Password
> (hybrid-auth)
> 	Certificate	Certificate	    Password
> (XAUTH or L2TP)
> 	Certificate	Certificate #1	    Certificate #2  (?????)
>
> Note that I did not include pre-shared keys as a requirement
> for a remote
> access scenarios. Other's may wish to add them to the list.
>
> -Ben McCann
>
> --
> Ben McCann                              Indus River Networks
>                                         31 Nagog Park
>                                         Acton, MA, 01720
> email: bmccann@xxxxxxxxxxxxxx           web: www.indusriver.com
> phone: (978) 266-8140                   fax: (978) 266-8111
>