Skip to main content

A Hybrid Authentication Mode for IKE

Document Type Expired Internet-Draft (ipsec WG)
Authors Moshe Litvin , Roy Shamir , Tamir Zegman
Last updated 2000-08-10
Stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Expired & archived
plain text htmlized pdfized bibtex
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at:


This document describes a set of new authentication methods to be used within Phase 1 of the Internet Key Exchange (IKE). The proposed methods assume an asymmetry between the authenticating entities. One entity, typically an Edge Device (e.g. firewall), authenticates using standard public key techniques (in signature mode), while the other entity, typically a remote User, authenticates using challenge response techniques. These authentication methods are used to establish, at the end of Phase 1, an IKE SA which is unidirectionally authenticated. To make this IKE bi-directionally authenticated, this Phase 1 is immediately followed by an X-Auth Exchange [XAUTH]. The X-Auth Exchange is used to authenticate the remote User. The use of these authentication methods is referred to as Hybrid Authentication mode. This proposal is designed to provide a solution for environments where a legacy authentication system exists, yet a full public key infrastructure is not deployed.


Moshe Litvin
Roy Shamir
Tamir Zegman

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)