1 / 4

User-Level Authentication in IPsec

User-Level Authentication in IPsec. Scott Kelly IPsec Remote Access Working Group 47th IETF. Main Points . Modifying/extending IKE probably not prudent Transition from legacy mechanisms to stronger ones is desirable and necessary

tanek-ramsey
Download Presentation

User-Level Authentication in IPsec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User-Level Authentication in IPsec Scott Kelly IPsec Remote Access Working Group 47th IETF

  2. Main Points • Modifying/extending IKE probably not prudent • Transition from legacy mechanisms to stronger ones is desirable and necessary • Even if PKIs were widely deployed, they likely would not be entirely sufficient (passwords still required)

  3. The Mechanism • Establish IKE SA • server cert, no client auth • preshared key • server/client certs • Establish phase 2 SA which permits authentication exchange • If authentication succeeds, either • modify existing phase 2 attributes, or • drop SA(s) and negotiate new one(s)

  4. Considerations • Underlying requirements must be clearly understood • Drawbacks • DoS susceptibility due to SA establishment prior to authentication if client not authenticated somehow • Strengths • can periodically renew authentication without additional DH exchanges

More Related