RE: Re[2]: PPP over IPSec (without L2TP)?
Pyda Srisuresh <srisuresh@yahoo.com> Fri, 15 October 1999 19:27 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id MAA03663; Fri, 15 Oct 1999 12:27:44 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA05360 Fri, 15 Oct 1999 13:25:12 -0400 (EDT)
Message-ID: <19991015174030.14188.rocketmail@web1403.mail.yahoo.com>
Date: Fri, 15 Oct 1999 10:40:30 -0700
From: Pyda Srisuresh <srisuresh@yahoo.com>
Subject: RE: Re[2]: PPP over IPSec (without L2TP)?
To: Stephen Kent <kent@bbn.com>, aboba@internaut.com
Cc: ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
--- Stephen Kent <kent@bbn.com> wrote: <... stuff deleted> > > The statement about user vs. machine authentication is incorrect, and > consistent with the misunderstanding of IPsec expressed by some of the L2TP > partisans. If you read RFC 2401 carefully you will note that IPsec > supports individual user authentication, in both modes. > User vs. Machine authentication is really a key management protocol issue (i.e., IKE) - somewhat orthogonal to IPsec architecture (RFC 2401). However, I do agree with Steve that there is a lot of misunderstanding on the issue of User vs. Machine authentication. IKE does not restrict from having multiple phase-I SAs between the same pair of SecGW nodes, one SA for each user that wishes to authenticate from his/her local GW to remote gateway. It is not necessary to perform the authentication in 2 phases - i.e., device-to-device authentication, followed by user-to-device authentication. The reason we have the XAUTH and HYBRID-AUTH drafts out is because IKE mandates symmteric forms of authentication and that is lot harder to accomplish with legacy systems. XAUTH tries to solve the problem by doing the authentication in 2 phases - Symmetric authentication between devices, followed by user authentication. HYBRID authentication solves the problem by allowing asymmetric authetications in the IKE protocol. Hope this helps clarify the misunderstanding. Thanks. > Steve > cheers, suresh ===== __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com
- PPP over IPSec (without L2TP)? Ari Huttunen
- RE: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Shriver, John
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[6]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[4]: PPP over IPSec (without L2TP)? Jim Tiller
- RE: Re[4]: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Bernard Aboba
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re: PPP over IPSec (without L2TP)? Paul Koning
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen