RE: Re[2]: PPP over IPSec (without L2TP)?
Pyda Srisuresh <srisuresh@yahoo.com> Sun, 17 October 1999 20:05 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id NAA06192; Sun, 17 Oct 1999 13:05:47 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA12919 Sun, 17 Oct 1999 14:41:44 -0400 (EDT)
Message-ID: <19991017185851.7990.rocketmail@web1403.mail.yahoo.com>
Date: Sun, 17 Oct 1999 11:58:51 -0700
From: Pyda Srisuresh <srisuresh@yahoo.com>
Subject: RE: Re[2]: PPP over IPSec (without L2TP)?
To: Stephen Kent <kent@bbn.com>
Cc: aboba@internaut.com, ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
--- Stephen Kent <kent@bbn.com> wrote: > Pyda, > > >User vs. Machine authentication is really a key management protocol > >issue (i.e., IKE) - somewhat orthogonal to IPsec architecture (RFC 2401). > > RFC 2401 defines ID types that must be supported in the SPD, and which are > aligned with IKE ID payload types. These ID types include X.500 DNs, that > can certainly be used to identify users, and RFC 821 names, which are > specifically user IDs (vs. the DNS ID type, which is designated for > machines). So I disagree with your assertion that this is purely a key > management protocol issue. Ah, I see where you are coming from. Sure, RFC 2401 does allow using user-IDs to describe SPD. That is necessary, but not a sufficient condition to support user-ID authentication. IKE is the one that does the acutal user-ID authentication and hence provides the sufficiency for user-ID support. Further, We are not just talking about being able to use user-ID for authentication, but the actual method of authenticating the user-ID. I believe, the confusion about user-ID authentication arises not because IKE does not support user-ID auth, but because it does not support asymmetric and legacy authentication methods. > I do agree that protocols such as XAUTH > demonstrate a clear intent to authenticate users, not just machines, but > IKE and 2401 make definite statements to that effect already. > I believe, XAUTH and HYBRID-AUTH drafts (a) demonstrate the need for asymmetric and legacy authentication methods, and (b) attempt to address these in different ways as extensions to IKE. > Steve > regards, suresh ===== __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com
- PPP over IPSec (without L2TP)? Ari Huttunen
- RE: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Shriver, John
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[6]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[4]: PPP over IPSec (without L2TP)? Jim Tiller
- RE: Re[4]: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Bernard Aboba
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re: PPP over IPSec (without L2TP)? Paul Koning
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen