1 / 4

User-Level Authentication in IPsec

Learn about user-level authentication in IPsec from the perspective of Scott Kelly and the IPsec Remote Access Working Group at the 47th IETF Main Points. This guide covers the mechanism to establish IKE and phase 2 SAs, considerations, drawbacks, and strengths to enhance security. Understand the importance of transitioning from legacy mechanisms to stronger ones and why PKIs may not be entirely sufficient.

tanek-ramsey
Télécharger la présentation

User-Level Authentication in IPsec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User-Level Authentication in IPsec Scott Kelly IPsec Remote Access Working Group 47th IETF

  2. Main Points • Modifying/extending IKE probably not prudent • Transition from legacy mechanisms to stronger ones is desirable and necessary • Even if PKIs were widely deployed, they likely would not be entirely sufficient (passwords still required)

  3. The Mechanism • Establish IKE SA • server cert, no client auth • preshared key • server/client certs • Establish phase 2 SA which permits authentication exchange • If authentication succeeds, either • modify existing phase 2 attributes, or • drop SA(s) and negotiate new one(s)

  4. Considerations • Underlying requirements must be clearly understood • Drawbacks • DoS susceptibility due to SA establishment prior to authentication if client not authenticated somehow • Strengths • can periodically renew authentication without additional DH exchanges

More Related