[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

L2TP is ipsra solution (?)

To: ietf-ipsra@xxxxxxxx
Subject: L2TP is ipsra solution (?)
From: "CHINNA N.R. PELLACURU" <pcn@xxxxxxxxx>
Date: Thu, 22 Jun 2000 09:22:02 -0700 (PDT)
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

Since I did not get much response to my questions requiring clarifications
of ipsra requirements, I take the liberty to guess them, based on the fact
that PIC was acceptable to the requirements.

If PIC was acceptable to the ipsra requirements, then I beleive L2TP/IPSec
meets those requirements too, and infact I beleive L2TP/IPSec is a better
way of meeting those requirements than PIC.

This is because, 

1. In L2TP/IPSec we have the flexible framework to do a possibly stronger
authentication (using digital signatures) in IKE before, a possibly weaker
authentication(using simple password based mechanisms), with legacy
authentication systems. But, in PIC, the stronger authentication is
predicated by a weak authentication(because credentials needed for the
stronger authentication are provisioned based on the weaker
authentication), which makes the stronger authentication useless.

2. L2TP/IPSec solution has the flexible framework of not mandating the use
of PKI, to do legacy authentication. This is because, any standard form of
authentication supported by IKE can be used. But, in PIC, since it is
based on the signature authentication method in IKE aggressive mode, the
customer is mandated to have a PKI, which I feel is missing the basic
purpose of customer dissatisfaction, that lead to formation of another WG:
ipsra. I guess, if ipsra also mandates PKI, then customers will force us
to form yet another WG to deal with the fact that they are not yet ready
for the PKI pill.

3. In PIC, since the whole process of authentication is predicated on the
first authentication, and this first authentication can be considered as
"user authentication" based on legacy authentication systems, there is no
real scope for a good "machine authentication" (I am assuming the common
sense definitions of "user authentication" Vs "machine authentication", as
opposed to the cryptographic one, which I am not aware of). Since, in
L2TP/IPSec, the two stages of authentication are independent to the most
part (although the second authentication is protected by the first), we
could do "machine authentication" in IKE, and do "user authentication" in
L2TP.

    chinna

chinna narasimha reddy pellacuru
s/w engineer

Follow-Ups:
- Re: L2TP is ipsra solution (?)
  - From: Ari Huttunen
- Re: L2TP is ipsra solution (?)
  - From: Hugo Krawczyk

Prev by Date: Re: l2tp as ipsra solution
Next by Date: Re: l2tp as ipsra solution
Previous by thread: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Next by thread: Re: L2TP is ipsra solution (?)
Index(es):
- Date
- Thread