Re: On shared keys
Tylor Allison <allison@securecomputing.com> Wed, 28 November 2001 18:52 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id fASIqQ809677; Wed, 28 Nov 2001 10:52:26 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA08305 Wed, 28 Nov 2001 13:02:24 -0500 (EST)
Date: Wed, 28 Nov 2001 12:10:36 -0600
From: Tylor Allison <allison@securecomputing.com>
X-X-Sender: <allison@gandalf.sctc.com>
To: Ricky Charlet <rcharlet@redcreek.com>
cc: IPsec WG <ipsec@lists.tislabs.com>
Subject: Re: On shared keys
In-Reply-To: <3C03EB45.607B57D5@redcreek.com>
Message-ID: <Pine.GSO.4.33.0111281048530.15515-100000@gandalf.sctc.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
On Tue, 27 Nov 2001, Ricky Charlet wrote: > But, I would like to make the point (as others have) that a PSK > authentication system which can easily interact with popular back-end > authentication servers and will not tie the peers down to > pre-configured, known IP addresses would be a highly usable and popular > protocol as it would conviently address a great need. IMHO, such an > authentication method is in more demand than a PK authentication method > even though the PK authentication could scale larger. > > Next generation IKEers have all set about the goals of reducing > complexity and setup cost. But I would also request (and here starts a > new war) that the authors of IKE replacement protocols also consider > taking on the goals set forth in the ipsra WG > (draft-ietf-ipsra-reqmts-04.txt) but with the ability to 'change IKE'. > > I think that we should do a PSK authentication method because it would > be useful. I agree with you Ricky ... IMO, if we leave out PSK authentication from SOI, then we are not addressing the needs of the marketplace. First, as others have pointed out, for site-to-site VPNs, PSK seems to be the de-facto standard. Why? Because they are simple to setup/manage and they work (interoperable implementations). Can the new SOI standard be used to accommodate these users? To me there seems to be a conflict between requirements of SOI to scale, but yet be simple to use in single site-to-site setups. I'm not sure if a single SOI authentication mechanism can be found which will meet both of these requirements. And back to Ricky's point of merging the IPSRA work into SOI; modifying IKE to accommodate remote access requirements. This really isn't a new war, and its too frustrating for me to get into in depth. It's clear that there is a large market out there which has invested in PSK or token-based authentication. It's clear that whatever we come up with better take this into account. The real question is how to make it all work together. I'll contend that the easiest way to do this is to address the remote access requirements within IKE/SOI. Others say that separate protocols should be used as "building blocks" to achieve this. I can't help seeing these separate protocols as workarounds for deficiencies in the original design of IKE, and adding complexity to the overall solution we are presenting to our customers. If we're given the chance to start again (maybe that's really not true), why not attempt to reconcile with the new IPSRA requirements in SOI? I'd hate to see us make the same mistakes twice. ===================================================================== = Tylor Allison Secure Computing Corporation ========= = phone: 651.628.1554 e-mail: allison@securecomputing.com ========= =====================================================================
- I-D ACTION:draft-ietf-ipsec-son-of-ike-protocol-r… Internet-Drafts
- SOI: preshared Michael Thomas
- SOI: identity protection and DOS Michael Thomas
- SOI: round tripiness Michael Thomas
- Re: SOI: preshared Henry Spencer
- Re: SOI: identity protection and DOS Paul Koning
- Re: SOI: identity protection and DOS Joern Sierwald
- Re: SOI: preshared Michael Thomas
- Re: SOI: preshared Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: preshared Paul Hoffman / VPNC
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: preshared Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Radia Perlman - Boston Center for Networking
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Arne Ansper
- Re: SOI: identity protection and DOS Sandy Harris
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: preshared Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: preshared DavidChenNH
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Richard Guy Briggs
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Paul Hoffman / VPNC
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Sara Bitan
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: SOI: identity protection and DOS Paul Hoffman / VPNC
- On shared keys (was RE: SOI: identity protection … Hugo Krawczyk
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: identity protection and DOS Alex Alten
- On shared keys (was RE: SOI: identity protection … Michael Thomas
- Re: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: On shared keys Ricky Charlet
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys (was RE: SOI: identity protect… Michael Thomas
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Steven M. Bellovin
- RE: On shared keys (was RE: SOI: identity protect… Andrew Krywaniuk
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Richard Guy Briggs
- Re: SOI: identity protection and DOS Arne Ansper
- Re: Gee, shared secrets suck (was: Re: SOI: ident… David Jablon
- Re: SOI: identity protection and DOS Arne Ansper
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS Henry Spencer
- RE: SOI: identity protection and DOS Paul Koning
- Gee, shared secrets suck (was: Re: SOI: identity … Joel Snyder
- Re: Gee, shared secrets suck (was: Re: SOI: ident… david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: On shared keys Tylor Allison
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Paul Koning
- RE: On shared keys (was RE: SOI: identity protect… Alex Alten
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS david chen
- RE: On shared keys (was RE: SOI: identity protect… Dilkie, Lee
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys Jari Arkko
- Re: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: On shared keys (was RE: SOI: identity protect… david chen
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys sami.vaarala
- Re: On shared keys (was RE: SOI: identity protect… Paul Koning
- Re: On shared keys Derek Atkins
- Re: On shared keys Henry Spencer
- Re: Gee, shared secrets suck (was: Re: SOI: ident… Arne Ansper
- Re: On shared keys Derek Atkins
- Re: On shared keys Arne Ansper
- RE: On shared keys Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Stephen Kent
- Re: On shared keys Sami Vaarala
- Re: On shared keys Sami Vaarala
- RE: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: On shared keys Derek Atkins
- Re: On shared keys Sami Vaarala
- Re: On shared keys (was RE: SOI: identity protect… Sandy Harris
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Khaja E. Ahmed
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- Re: On shared keys (was RE: SOI: identity protect… Sandy Harris
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: SOI: identity protection and DOS Hugo Krawczyk
- SA look up Jin Zhang
- RE: SA look up Li, Ruicong