Re: SOI: preshared
Henry Spencer <henry@spsystems.net> Mon, 19 November 2001 21:14 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id fAJLEc823077; Mon, 19 Nov 2001 13:14:38 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA10466 Mon, 19 Nov 2001 15:16:16 -0500 (EST)
Date: Mon, 19 Nov 2001 15:25:04 -0500
From: Henry Spencer <henry@spsystems.net>
To: IP Security List <ipsec@lists.tislabs.com>
Subject: Re: SOI: preshared
In-Reply-To: <15353.24948.198728.631259@thomasm-u1.cisco.com>
Message-ID: <Pine.BSI.3.91.1011119151452.9317C-100000@spsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
On Mon, 19 Nov 2001, Michael Thomas wrote:
> The consequence of using naked public keys in lieu
> of symmetric keys is that you incur the cost of
> both a DH and a RSA operation...
Correct. That's the same overhead as experienced with certificates, etc.,
so if it is acceptable for large-scale high-volume use, it should be okay
for a fallback mode intended for more limited applications.
> You could
> conceivably get rid of the DH if you don't care
> about identity, but for preshared keys it seems
> questionable why you'd want to do _either_.
Today's preshared keys are for authentication, not encryption, so the DH
step is not optional -- they often are things like English phrases, which
may be okay for authentication but definitely does not provide encryption
strong enough to adequately protect session-key exchanges.
A proposal for an ultra-low-overhead IKE authentication mode, using strong
preshared keys to eliminate the DH step as well, is a separate issue from
whether we should retain the existing preshared-key mode (which does not
fit that description).
Henry Spencer
henry@spsystems.net
- I-D ACTION:draft-ietf-ipsec-son-of-ike-protocol-r… Internet-Drafts
- SOI: preshared Michael Thomas
- SOI: identity protection and DOS Michael Thomas
- SOI: round tripiness Michael Thomas
- Re: SOI: preshared Henry Spencer
- Re: SOI: identity protection and DOS Paul Koning
- Re: SOI: identity protection and DOS Joern Sierwald
- Re: SOI: preshared Michael Thomas
- Re: SOI: preshared Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: preshared Paul Hoffman / VPNC
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: preshared Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Radia Perlman - Boston Center for Networking
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Arne Ansper
- Re: SOI: identity protection and DOS Sandy Harris
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: preshared Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: preshared DavidChenNH
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Richard Guy Briggs
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Paul Hoffman / VPNC
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Sara Bitan
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: SOI: identity protection and DOS Paul Hoffman / VPNC
- On shared keys (was RE: SOI: identity protection … Hugo Krawczyk
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: identity protection and DOS Alex Alten
- On shared keys (was RE: SOI: identity protection … Michael Thomas
- Re: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: On shared keys Ricky Charlet
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys (was RE: SOI: identity protect… Michael Thomas
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Steven M. Bellovin
- RE: On shared keys (was RE: SOI: identity protect… Andrew Krywaniuk
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Richard Guy Briggs
- Re: SOI: identity protection and DOS Arne Ansper
- Re: Gee, shared secrets suck (was: Re: SOI: ident… David Jablon
- Re: SOI: identity protection and DOS Arne Ansper
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS Henry Spencer
- RE: SOI: identity protection and DOS Paul Koning
- Gee, shared secrets suck (was: Re: SOI: identity … Joel Snyder
- Re: Gee, shared secrets suck (was: Re: SOI: ident… david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: On shared keys Tylor Allison
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Paul Koning
- RE: On shared keys (was RE: SOI: identity protect… Alex Alten
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS david chen
- RE: On shared keys (was RE: SOI: identity protect… Dilkie, Lee
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys Jari Arkko
- Re: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: On shared keys (was RE: SOI: identity protect… david chen
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys sami.vaarala
- Re: On shared keys (was RE: SOI: identity protect… Paul Koning
- Re: On shared keys Derek Atkins
- Re: On shared keys Henry Spencer
- Re: Gee, shared secrets suck (was: Re: SOI: ident… Arne Ansper
- Re: On shared keys Derek Atkins
- Re: On shared keys Arne Ansper
- RE: On shared keys Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Stephen Kent
- Re: On shared keys Sami Vaarala
- Re: On shared keys Sami Vaarala
- RE: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: On shared keys Derek Atkins
- Re: On shared keys Sami Vaarala
- Re: On shared keys (was RE: SOI: identity protect… Sandy Harris
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Khaja E. Ahmed
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- Re: On shared keys (was RE: SOI: identity protect… Sandy Harris
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: SOI: identity protection and DOS Hugo Krawczyk
- SA look up Jin Zhang
- RE: SA look up Li, Ruicong