RE: Re[2]: PPP over IPSec (without L2TP)?

Stephen Kent <kent@bbn.com> Sat, 16 October 1999 00:12 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id RAA06864; Fri, 15 Oct 1999 17:12:54 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id SAA07183 Fri, 15 Oct 1999 18:50:59 -0400 (EDT)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Sender: kent@po1.bbn.com
Message-Id: <v04020a0ab42d4d893d9f@[171.78.6.226]>
In-Reply-To: <19991015174030.14188.rocketmail@web1403.mail.yahoo.com>
Date: Fri, 15 Oct 1999 18:45:05 -0400
To: Pyda Srisuresh <srisuresh@yahoo.com>
From: Stephen Kent <kent@bbn.com>
Subject: RE: Re[2]: PPP over IPSec (without L2TP)?
Cc: aboba@internaut.com, ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Pyda,

>User vs. Machine authentication is really a key management protocol
>issue (i.e., IKE) - somewhat orthogonal to IPsec architecture (RFC 2401).

RFC 2401 defines ID types that must be supported in the SPD, and which are
aligned with IKE ID payload types. These ID types include X.500 DNs, that
can certainly be used to identify users, and RFC 821 names, which are
specifically user IDs (vs. the DNS ID type, which is designated for
machines).  So I disagree with your assertion that this is purely a key
management protocol issue. I do agree that protocols such as XAUTH
demonstrate a clear intent to authenticate users, not just machines, but
IKE and 2401 make definite statements to that effect already.

Steve