40 likes | 127 Vues
Learn about user-level authentication in IPsec from the perspective of Scott Kelly and the IPsec Remote Access Working Group at the 47th IETF Main Points. This guide covers the mechanism to establish IKE and phase 2 SAs, considerations, drawbacks, and strengths to enhance security. Understand the importance of transitioning from legacy mechanisms to stronger ones and why PKIs may not be entirely sufficient.
E N D
User-Level Authentication in IPsec Scott Kelly IPsec Remote Access Working Group 47th IETF
Main Points • Modifying/extending IKE probably not prudent • Transition from legacy mechanisms to stronger ones is desirable and necessary • Even if PKIs were widely deployed, they likely would not be entirely sufficient (passwords still required)
The Mechanism • Establish IKE SA • server cert, no client auth • preshared key • server/client certs • Establish phase 2 SA which permits authentication exchange • If authentication succeeds, either • modify existing phase 2 attributes, or • drop SA(s) and negotiate new one(s)
Considerations • Underlying requirements must be clearly understood • Drawbacks • DoS susceptibility due to SA establishment prior to authentication if client not authenticated somehow • Strengths • can periodically renew authentication without additional DH exchanges