RE: Re[2]: PPP over IPSec (without L2TP)?
Stephen Kent <kent@bbn.com> Mon, 18 October 1999 19:39 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id MAA02890; Mon, 18 Oct 1999 12:39:42 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA15472 Mon, 18 Oct 1999 10:24:07 -0400 (EDT)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Sender: kent@po1.bbn.com
Message-Id: <v04020a00b430dac3f769@[171.78.6.226]>
In-Reply-To: <19991017185851.7990.rocketmail@web1403.mail.yahoo.com>
Date: Mon, 18 Oct 1999 10:16:37 -0400
To: Pyda Srisuresh <srisuresh@yahoo.com>
From: Stephen Kent <kent@bbn.com>
Subject: RE: Re[2]: PPP over IPSec (without L2TP)?
Cc: aboba@internaut.com, ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Pyda, >Ah, I see where you are coming from. Sure, RFC 2401 does allow using >user-IDs to describe SPD. That is necessary, but not a sufficient >condition to support user-ID authentication. IKE is the one that >does the acutal user-ID authentication and hence provides the >sufficiency for user-ID support. I don't think that we're signifgicantly disagreeing here. IPsec, as defined by the architecture document (RFC 2401) clearly mandates support for user level auth, because it makes no sense to base access control decisions on user IDs unless one authenticates users. The question, then, is how to accomoplish that. because IPsec does not mandate use of IKE, per se, 2401 can't go into more detail re how one accomplishes user level auth for IPsec. >Further, We are not just talking about being able to use user-ID for >authentication, but the actual method of authenticating the user-ID. >I believe, the confusion about user-ID authentication arises not >because IKE does not support user-ID auth, but because it does not >support asymmetric and legacy authentication methods. The method used is of importance, but it is not the defining facet of whether IPsec suppoprt user auth. I certainly DISAGREE with your last statement. Plain old IKE DOES support user auth, e.g., by associating private key material with a user. What is does not support is lagacy user auth mechanisms. >> I do agree that protocols such as XAUTH >> demonstrate a clear intent to authenticate users, not just machines, but >> IKE and 2401 make definite statements to that effect already. >> > >I believe, XAUTH and HYBRID-AUTH drafts (a) demonstrate the need for >asymmetric and legacy authentication methods, and (b) attempt to address >these in different ways as extensions to IKE. The XUATH and HYBRID-AUTH IDs demonstrate a clear desire by vendors to sell into environments that are reluctant to deploy PKIs. That is not quite the same as your statement above. Steve
- PPP over IPSec (without L2TP)? Ari Huttunen
- RE: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Shriver, John
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[6]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[4]: PPP over IPSec (without L2TP)? Jim Tiller
- RE: Re[4]: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Bernard Aboba
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re: PPP over IPSec (without L2TP)? Paul Koning
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen