A Hybrid Authentication Mode for IKE
draft-ietf-ipsec-isakmp-hybrid-auth-05

Document Type Expired Internet-Draft (ipsec WG)
Last updated 2000-08-10
Stream IETF
Intended RFC status (None)
Formats
Expired & archived
plain text pdf html
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt

Abstract

This document describes a set of new authentication methods to be used within Phase 1 of the Internet Key Exchange (IKE). The proposed methods assume an asymmetry between the authenticating entities. One entity, typically an Edge Device (e.g. firewall), authenticates using standard public key techniques (in signature mode), while the other entity, typically a remote User, authenticates using challenge response techniques. These authentication methods are used to establish, at the end of Phase 1, an IKE SA which is unidirectionally authenticated. To make this IKE bi-directionally authenticated, this Phase 1 is immediately followed by an X-Auth Exchange [XAUTH]. The X-Auth Exchange is used to authenticate the remote User. The use of these authentication methods is referred to as Hybrid Authentication mode. This proposal is designed to provide a solution for environments where a legacy authentication system exists, yet a full public key infrastructure is not deployed.

Authors

Moshe Litvin (moshe@checkpoint.com)
Roy Shamir (roy@checkpoint.com)
Tamir Zegman (zegman@checkpoint.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)