[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: L2TP is ipsra solution (?)

To: Ari Huttunen <Ari.Huttunen@xxxxxxxxxxxx>
Subject: Re: L2TP is ipsra solution (?)
From: "CHINNA N.R. PELLACURU" <pcn@xxxxxxxxx>
Date: Mon, 26 Jun 2000 09:22:42 -0700 (PDT)
Cc: ietf-ipsra@xxxxxxxx
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

On Mon, 26 Jun 2000, Ari Huttunen wrote:

> "CHINNA N.R. PELLACURU" wrote:
> > 
> > Since I did not get much response to my questions requiring clarifications
> > of ipsra requirements, I take the liberty to guess them, based on the fact
> > that PIC was acceptable to the requirements.
> > 
> > If PIC was acceptable to the ipsra requirements, then I beleive L2TP/IPSec
> > meets those requirements too, and infact I beleive L2TP/IPSec is a better
> > way of meeting those requirements than PIC.
> 
> PIC does not require the client to already have a machine certificate,
> L2TP/IPSec does. In this respect L2TP/IPSec is more like X-Auth; you
> first do machine authentication with certificates, followed by legacy
> authentication with passwords or whatever.
> 
> If L2TP/IPSec is acceptable to the ipsra requirements, X-Auth should
> also be similarly acceptable.
> 
> Ari

There is a huge distiction. L2TP doesn't extend IKE, ie. doesn't have
any weird assumptions that it should be done between IKE phase1 and IKE
pahse2 (so Xauth is mucking with the semantics of the IKE standard, if not
the syntax).

And, IMO it would be ridiculous on our part of even to think of comparing
Xauth with L2TP. L2TP clearly is the cleanest, most modular way of
integrating Authentication Authourzation Accounting infrastructures, into
an IPSec remote access VPN.

"machine certificate": As I said before L2TP doesn't have to make any
assumptions on what goes on in IKE phase1. We can use any standard IKE
phase1 authentication, including pre-shared keys, or based on public key
operations, that are done using pre-configured public keys.

    chinna

> > 
> >     chinna
> > 
> > chinna narasimha reddy pellacuru
> > s/w engineer
> 
> -- 
> Ari Huttunen                   phone: +358 9 859 900
> Senior Software Engineer       fax  : +358 9 8599 0452
> 
> F-Secure Corporation       http://www.F-Secure.com 
> 
> F-Secure products: Integrated Solutions for Enterprise Security
> 

chinna narasimha reddy pellacuru
s/w engineer

Follow-Ups:
- Re: L2TP is ipsra solution (?)
  - From: Marcus Leech

References:
- Re: L2TP is ipsra solution (?)
  - From: Ari Huttunen

Prev by Date: Re: L2TP is ipsra solution (?)
Next by Date: Re: On ipsra authentication options
Previous by thread: Re: L2TP is ipsra solution (?)
Next by thread: Re: L2TP is ipsra solution (?)
Index(es):
- Date
- Thread