On 05/21/10 10:33 AM, Alan DuBoff wrote:
On Fri, 21 May 2010, Dan McDonald wrote:
You're paiting too broad. That should read, "...which would handle
XAUTH and MODE-CFG." We do IPsec and IKE without those extensions just
fine, thank you very much.
It needs to handle both phases of negotiation. Can Solaris negotiate
them? The cost of a router is small in comparison to the cost of a
server. We have everything connected through IPSEC/IKE, all the routers
and servers in a 1/2 rack are all securely connected to each other, it's
a great design, IMO, which requires the client create a tunnel to connect.
You need to be much more precise. Your notion of "both phases of
negotiation" doesn't mean anything in a general sense.
What, exactly, are you trying to accomplish? For instance, we can
easily negotiate transport or tunnel mode and you can connect all manner
of servers together that way.
With a VPN (which is NOT the same thing as the IPsec/IKE protocol, but
may use it as part of its protocol), you're additionally talking about
1. An *additional* level of user authentication on top of something
like preshared keys or certs for system level authentication (which
works and interoperates fine out of the box)
2. Address provisioning and configuration.
So, I ask again, do you need these additional extensions on top of
regular IPsec/IKE, which will negotiate a secure connection? You can
easily get servers to negotiate securely without these if your
deployment is just trying to get a bunch of systems to talk securely to
each other in an automated way without forced user interaction.
Thanks,
Paul
_______________________________________________
security-discuss mailing list
[email protected]
