IETF Logo Mail Archive

Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)

"Kaz Kobara" <kobara_conf@m.aist.go.jp> Fri, 26 March 2010 16:52 UTC

Return-Path: <kobara_conf@m.aist.go.jp>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07ED43A6BB3 for <ipsec@core3.amsl.com>; Fri, 26 Mar 2010 09:52:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.04
X-Spam-Level: *
X-Spam-Status: No, score=1.04 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kVwTMb3M7ed9 for <ipsec@core3.amsl.com>; Fri, 26 Mar 2010 09:52:51 -0700 (PDT)
Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by core3.amsl.com (Postfix) with ESMTP id 3F9593A6A73 for <ipsec@ietf.org>; Fri, 26 Mar 2010 09:52:51 -0700 (PDT)
Received: from rqsmtp1.aist.go.jp (rqsmtp1.aist.go.jp [150.29.254.115]) by mx1.aist.go.jp with ESMTP id o2QGrD5e025601 for <ipsec@ietf.org>; Sat, 27 Mar 2010 01:53:13 +0900 (JST) env-from (kobara_conf@m.aist.go.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=m.aist.go.jp; s=aist; t=1269622394; bh=RtNht1erCjUB0gTE2hU+/RxhowHpA7X1sM8laCD3Zw0=; h=From:Date:Message-ID; b=oP/TfjLbd68raAj3ec2RDaNXX/uso6hNOdzVfFLquxeOhYQq3rgoO6xIn4kNIwMw9 ySt3/XLrESVruSHvwM1uyXQX3hQfQ4tdKf2T6BJ9TC4T6e6BDQk3gXhtRpZdORcUsP JBeSxom9zMG9eJO/1aMmUThIeeVd7tDQzsix7wRo=
Received: from smtp3.aist.go.jp by rqsmtp1.aist.go.jp with ESMTP id o2QGrDtP027619 for <ipsec@ietf.org>; Sat, 27 Mar 2010 01:53:13 +0900 (JST) env-from (kobara_conf@m.aist.go.jp)
Received: by smtp3.aist.go.jp with ESMTP id o2QGrCCK003578 for <ipsec@ietf.org>; Sat, 27 Mar 2010 01:53:13 +0900 (JST) env-from (kobara_conf@m.aist.go.jp)
From: Kaz Kobara <kobara_conf@m.aist.go.jp>
To: ipsec@ietf.org
References: <015701cacc74$9b0f3c20$d12db460$@aist.go.jp> <4BAC4283.9010002@gmail.com>
In-Reply-To: <4BAC4283.9010002@gmail.com>
Date: Sat, 27 Mar 2010 01:53:17 +0900
Message-ID: <018001cacd04$d59efc50$80dcf4f0$@aist.go.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcrMpNEz/MKtWb4cSHmjkTfcRWtGeQAWZ9ww
Content-Language: ja
Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2010 16:52:53 -0000

Hi Yaron

Thank you for your clarification.

> "between gateways" as opposed to
> "between clients and gateways". So your assertion is correct.

(Between gateways, administrators can set long secrets, so the necessity of
PAKE seems smaller than between clients and gateways where passwords are
recorded in the gateways and users have to type the passwords.)

Anyway, if the scope is limited only on "between gateways" but not "between
clients and gateways," the title 
"Password-Based Authentication in IKEv2: Selection Criteria and Comparison"
seems misleading (since this itself misinforms that this criteria may be
applied to IKEv2 in any cases), and the above should be clearly mentioned in
the document.

Kaz

> -----Original Message-----
> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
> Sent: Friday, March 26, 2010 2:14 PM
> To: Kaz Kobara
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
> 
> Hi Kaz,
> 
> I *thought* my intention was clear: "between gateways" as opposed to
> "between clients and gateways". So your assertion is correct.
> 
> Thanks,
> 	Yaron
> 
> On 26.3.2010 1:40, Kaz Kobara wrote:
> > Hi Yaron
> >
> >> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
> >> "This document is limited to the use of password-based authentication
> to
> >> achieve trust between gateways"
> >
> > I would like to make sure that
> > "gateway" in this document does not encompass VPN clients and hosts,
right?
> >
> > Kaz
> >
> >> -----Original Message-----
> >> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
> Of
> >> Yaron Sheffer
> >> Sent: Friday, March 26, 2010 3:31 AM
> >> To: SeongHan Shin
> >> Cc: IPsecme WG; Kazukuni Kobara
> >> Subject: Re: [IPsec] New PAKE Criteria draft posted
> >>
> >> Hi Shin,
> >>
> >> Yes. For the typical remote access VPN, EAP is typically more useful.
> >> Note that there is still need for strong password-based mutual
> >> authentication EAP methods - but their home is the EMU working group.
> >>
> >> In addition, the IPsecME has another charter item designed to fit such
> >> EAP methods (such as the future EAP-AugPAKE :-) into IKEv2.
> >>
> >> Please see again the group's charter,
> >> http://tools.ietf.org/wg/ipsecme/charters.
> >>
> >> Thanks,
> >> 	Yaron
> >>
> >> On 25.3.2010 20:07, SeongHan Shin wrote:
> >>> Dear Yaron Sheffer,
> >>>
> >>> I have one question about the draft.
> >>>
> >>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
> >>> "This document is limited to the use of password-based authentication
> >> to
> >>> achieve trust between gateways"
> >>>
> >>> Is this a consensus of this WG?
> >>>
> >>> Best regards,
> >>> Shin
> >>>
> >>> On Thu, Mar 25, 2010 at 3:46 PM, Yaron Sheffer<yaronf.ietf@gmail.com
> >>> <mailto:yaronf.ietf@gmail.com>>  wrote:
> >>>
> >>>      Hi,
> >>>
> >>>      after the good discussion in Anaheim, and with the help of
comments
> >>>      received on and off the list, I have updated the PAKE Criteria
> draft
> >>>      and posted it as
> >>>
> >> http://www.ietf.org/id/draft-sheffer-ipsecme-pake-criteria-02.txt.
> >>>
> >>>      I have added a number of criteria, clarified others, and added
> >>>      numbering (SEC1-SEC6, IPR1-IPR3 etc.).
> >>>
> >>>      Thanks,
> >>>          Yaron
> >>>      _______________________________________________
> >>>      IPsec mailing list
> >>>      IPsec@ietf.org<mailto:IPsec@ietf.org>
> >>>      https://www.ietf.org/mailman/listinfo/ipsec
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> ------------------------------------------------------------------
> >>> SeongHan Shin
> >>> Research Center for Information Security (RCIS),
> >>> National Institute of Advanced Industrial Science and Technology
> (AIST),
> >>> Room no. 1003, Akihabara Daibiru 10F,
> >>> 1-18-13, Sotokannda, Chiyoda-ku, Tokyo 101-0021 Japan
> >>> Tel : +81-3-5298-2722
> >>> Fax : +81-3-5298-4522
> >>> E-mail : seonghan.shin@aist.go.jp<mailto:seonghan.shin@aist.go.jp>
> >>> ------------------------------------------------------------------
> >> _______________________________________________
> >> IPsec mailing list
> >> IPsec@ietf.org
> >> https://www.ietf.org/mailman/listinfo/ipsec
> >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email