[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication Mechanism Matrix (was L2TP vs IPSEC)

To: "CHINNA N.R. PELLACURU" <pcn@xxxxxxxxx>
Subject: Re: Authentication Mechanism Matrix (was L2TP vs IPSEC)
From: Ari Huttunen <Ari.Huttunen@xxxxxxxxxxxx>
Date: Wed, 21 Jun 2000 14:35:33 +0300
Cc: Hugo Krawczyk <hugo@xxxxxxxxxxxxxxxxx>, Andrew Krywaniuk <andrew.krywaniuk@xxxxxxxxxxx>, "'IPSRA list'" <ietf-ipsra@xxxxxxxx>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Organization: F-Secure Oyj
References: <>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

"CHINNA N.R. PELLACURU" wrote:
> 
> On Tue, 20 Jun 2000, Hugo Krawczyk wrote:
> 
> >
> > The PIC protocol (draft-ietf-ipsra-pic-00.txt) can easily accomodate
> > (optional) machine authentication *in addition* to (mandatory)
> > user authentication.
> > I am in favor of providing that option. It was not included in the
> > first draft because we did not want to add options for which there
> > was no clear consensus about their need.
> > >From recent discussions in the list it seems to me that there may be
> > strong support for such option, if so we can include it in the next
> > version of the draft.
> >
> > Hugo
> 
> I don't think there is any real cryptographic benefit of "bootstrapping"
> IKE credentials (that are capable of several magnitudes stronger
> cryptographic authentication) using legacy authentication. Bootstrapping a
> cryptographically very very strong authentication using legacy
> authencition is useless, because the weakest link in this system is still
> the legacy authentication.
> 
> And I don't think this scheme could provide "machine authentication"
> because the credentials that would be used to do any kind of further
> authentication is predicated on the "user authentication" that is done
> first. So, it would still be "user authentication".
> 
>     chinna

It would seem intuitively clear that we should do the strongest possible
authentication first, possibly followed by further authentications. Of course,
this begs the question of what is the strongest authentication method, for which
I have no good answer, but I assume below that it is a certificate based method.

So, if we have a certificate at the client, we should start with ordinary IKE
authentication, followed by X-Auth if further authentication is necessary. To
accomodate using two certificates, X-Auth should be refined to include a certificate
based method.

If the client possesses no certificates yet, we should do PIC or similar, followed
by normal IKE that provides no further authentication.

Ari

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security

References:
- RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
  - From: CHINNA N.R. PELLACURU

Prev by Date: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Next by Date: Re: l2tp as ipsra solution
Previous by thread: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Next by thread: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Index(es):
- Date
- Thread