[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)

Andrew Krywaniuk [mailto://andrew.krywaniuk@xxxxxxxxxxx] writes:

> Well, that was basically my point. None of the recent proposals have dealt
> with the issue of authenticating both user and machine.
>
> Is this a requirement for ipsra? I haven't heard a lot of demand
> for it, but
> there is that one recent e-mail, and it sounds like the kind of thing that
> customers might expect in hindsight, but not ask for up front.
>
> I have a hard time believing that we're going to accomplish this without
> "changing IKE."

Try L2TP/IPSec w/EAP-TLS.

>
> To be more precise, I should have asked: "What is the proposal for doing
> this with user certs? Sign with both in MM5?"

How can you authenticate a machine the same cert as the user?  Can't be
done, i wouldn't think...

>
> Andrew
> --------------------------------------
> Beauty with out truth is insubstantial.
> Truth without beauty is unbearable.
>
>
> > -----Original Message-----
> > From: Ben McCann [mailto:bmccann@xxxxxxxxxxxxxx]
> > Sent: Thursday, June 15, 2000 3:35 PM
> > To: andrew.krywaniuk@xxxxxxxxxxx
> > Cc: 'IPSRA list'
> > Subject: Authentication Mechanism Matrix (was L2TP vs IPSEC)
> >
> >
> > > XAuth, when used in non-Hybrid mode, will authenticate both
> > the user and the
> > > machine. What is the proposal for doing this with user
> > certs? Sign with
> > > both?
> >
> > Separate user and machine certificates was not my requirement but I
> > can see why it would be attractive. (Recall the mail from
> > 'John Deere').
> > I assume you would have to sign with both because how else do prove
> > possession of _both_ private keys? The second round of signatures
> > certainly breaks XAUTH as currently defined.
> >
> > Its moot anyway because XAUTH isn't an acceptable IPSRA solution.
> >
> >
> > This raises the question of what are the authentication requirements?
> > My requirements, by entity, are:
> >
> > Gateway Authentication
> >     Certificate
> >
> > Remote User' Machine Authentication
> >     None
> >     Certificate
> >
> > Remote User (Person) Authentication
> >     Password
> >     Challenge/Response
> >     Token Card (such as Secure ID)
> >     Certificate (SmartCard of some kind?)
> >
> > Within these sets, I would require support for all
> > permutations of gateway,
> > user machine, and user (person) authentication algorithms.
> > Some examples:
> >
> > 	Gateway		Remote Machine	    Remote User
> > 	-------		--------------	    -----------
> > 	Certificate	None		    Password
> > (hybrid-auth)
> > 	Certificate	Certificate	    Password
> > (XAUTH or L2TP)
> > 	Certificate	Certificate #1	    Certificate #2  (?????)
> >
> > Note that I did not include pre-shared keys as a requirement
> > for a remote
> > access scenarios. Other's may wish to add them to the list.
> >
> > -Ben McCann
> >
> > --
> > Ben McCann                              Indus River Networks
> >                                         31 Nagog Park
> >                                         Acton, MA, 01720
> > email: bmccann@xxxxxxxxxxxxxx           web: www.indusriver.com
> > phone: (978) 266-8140                   fax: (978) 266-8111
> >
>
>
>