[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: L2TP is ipsra solution (?)

To: "CHINNA N.R. PELLACURU" <pcn@xxxxxxxxx>
Subject: Re: L2TP is ipsra solution (?)
From: Ari Huttunen <Ari.Huttunen@xxxxxxxxxxxx>
Date: Mon, 26 Jun 2000 16:38:51 +0300
Cc: ietf-ipsra@xxxxxxxx
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Organization: F-Secure Oyj
References: <>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

"CHINNA N.R. PELLACURU" wrote:
> 
> Since I did not get much response to my questions requiring clarifications
> of ipsra requirements, I take the liberty to guess them, based on the fact
> that PIC was acceptable to the requirements.
> 
> If PIC was acceptable to the ipsra requirements, then I beleive L2TP/IPSec
> meets those requirements too, and infact I beleive L2TP/IPSec is a better
> way of meeting those requirements than PIC.

PIC does not require the client to already have a machine certificate,
L2TP/IPSec does. In this respect L2TP/IPSec is more like X-Auth; you
first do machine authentication with certificates, followed by legacy
authentication with passwords or whatever.

If L2TP/IPSec is acceptable to the ipsra requirements, X-Auth should
also be similarly acceptable.

Ari

> 
> This is because,
> 
> 1. In L2TP/IPSec we have the flexible framework to do a possibly stronger
> authentication (using digital signatures) in IKE before, a possibly weaker
> authentication(using simple password based mechanisms), with legacy
> authentication systems. But, in PIC, the stronger authentication is
> predicated by a weak authentication(because credentials needed for the
> stronger authentication are provisioned based on the weaker
> authentication), which makes the stronger authentication useless.
> 
> 2. L2TP/IPSec solution has the flexible framework of not mandating the use
> of PKI, to do legacy authentication. This is because, any standard form of
> authentication supported by IKE can be used. But, in PIC, since it is
> based on the signature authentication method in IKE aggressive mode, the
> customer is mandated to have a PKI, which I feel is missing the basic
> purpose of customer dissatisfaction, that lead to formation of another WG:
> ipsra. I guess, if ipsra also mandates PKI, then customers will force us
> to form yet another WG to deal with the fact that they are not yet ready
> for the PKI pill.
> 
> 3. In PIC, since the whole process of authentication is predicated on the
> first authentication, and this first authentication can be considered as
> "user authentication" based on legacy authentication systems, there is no
> real scope for a good "machine authentication" (I am assuming the common
> sense definitions of "user authentication" Vs "machine authentication", as
> opposed to the cryptographic one, which I am not aware of). Since, in
> L2TP/IPSec, the two stages of authentication are independent to the most
> part (although the second authentication is protected by the first), we
> could do "machine authentication" in IKE, and do "user authentication" in
> L2TP.
> 
>     chinna
> 
> chinna narasimha reddy pellacuru
> s/w engineer

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security

Follow-Ups:
- Re: L2TP is ipsra solution (?)
  - From: CHINNA N.R. PELLACURU

References:
- L2TP is ipsra solution (?)
  - From: CHINNA N.R. PELLACURU

Prev by Date: Re: Raising the level ... was RE: Authentication Mechanism Matrix
Next by Date: Re: L2TP is ipsra solution (?)
Previous by thread: Re: L2TP is ipsra solution (?)
Next by thread: Re: L2TP is ipsra solution (?)
Index(es):
- Date
- Thread