Issue #114: Expired drafts, especially BEET ==> Tero and Yaron suggested wording changes. The 2nd paragraph below contains those changes.
#114: Expired drafts, especially BEET Proposed changes to Roadmap doc: Add text to the introductory section for IKEv1, Section 4.1.1: Additional text (revised since last email): IKE is the preferred key management protocol for IPsec. It is used for peer authentication; to negotiate, modify and delete SAs; and to negotiate authenticated keying material for use within those SAs. The standard peer authentication methods used by IKEv1 (pre-shared secret keys and digital certificates) had several shortcomings related to use of IKEv1 to enable remote user authentication to a corporate VPN: it could not leverage the use of legacy authentication systems (e.g. RADIUS databases) to authenticate a remote user to a security gateway; and it could not be used to configure remote users with network addresses or other information needed in order to access the internal network. Several Internet Drafts were written to address these problems: Extended Authentication withn IKE (XAUTH) (draft-beaulieu-ike-xauth and its predecessor draft-ietf-ipsra-isakmp-xauth) and The ISAKMP Configuration Method (draft-dukes-ike-mode-cfg and its predecessor draft-ietf-ipsec-isakmp- mode-cfg). These drafts did not progress to RFC status due to security flaws and other problems related to these solutions. However, many current IKEv1 implementations incorporate aspects of these solutions to facilitate remote user access to corporate VPNs. These solutions were not standardized, and different implementations implemented different versions. Thus, there is no assurance that the implementations adhere fully to the suggested solutions, or that one implementation can interoperate with others that claim to incorporate the same features. Furthermore, these solutions have known security issues. Thus, use of these solutions is not recommended.
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
