Re: On shared keys
Ricky Charlet <rcharlet@redcreek.com> Tue, 27 November 2001 20:18 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id fARKI6827373; Tue, 27 Nov 2001 12:18:06 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA03800 Tue, 27 Nov 2001 14:23:58 -0500 (EST)
Message-ID: <3C03EB45.607B57D5@redcreek.com>
Date: Tue, 27 Nov 2001 11:36:37 -0800
From: Ricky Charlet <rcharlet@redcreek.com>
Organization: Redcreek Communications
X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.2-2 i686)
X-Accept-Language: en
MIME-Version: 1.0
CC: IPsec WG <ipsec@lists.tislabs.com>
Subject: Re: On shared keys
References: <Pine.GSO.4.21.0111270123520.11590-100000@ee.technion.ac.il>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Hugo Krawczyk wrote: > > Everyone agrees that public key is the ONLY way to a scalable > Internet-wide protocol. No question about it. In particular, > any key-exchange protocol for IPsec MUST provide a PK-based exchange. I agree that, in theory, a PK based system should scale further than a PSK based system. But in practice, we live in a world where PSK based authentication methods have been made to scale to an entirely sufficient degree by almost every corporation. The advantages of scaling further yet seems pretty dim in most of their eyes when compared to the cost of re-tooling their credential handling. The set of organizations who need greater scalability than PSKs is small (but non-ignorable). The set of organizations who currently have working infrastructures to support PSK authentications is large. So, do we need a PSK authentication method as well as a PK authentication method? Each of the three next generation IKE replacement drafts dropped support for PSK authentication specifically in the interest of protocol simplicity. This is a laudable goal and should not be lightly dismissed. Simplicity increases both interoperability and security. Some have argued that we need a PSK authentication method because it is easy to test. This argument does not overcome the arguments in favor of protocol simplicity in my view. But, I would like to make the point (as others have) that a PSK authentication system which can easily interact with popular back-end authentication servers and will not tie the peers down to pre-configured, known IP addresses would be a highly usable and popular protocol as it would conviently address a great need. IMHO, such an authentication method is in more demand than a PK authentication method even though the PK authentication could scale larger. Next generation IKEers have all set about the goals of reducing complexity and setup cost. But I would also request (and here starts a new war) that the authors of IKE replacement protocols also consider taking on the goals set forth in the ipsra WG (draft-ietf-ipsra-reqmts-04.txt) but with the ability to 'change IKE'. I think that we should do a PSK authentication method because it would be useful. -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." Benjamin Franklin Ricky Charlet : SonicWall Inc. : usa (510) 497-2103
- I-D ACTION:draft-ietf-ipsec-son-of-ike-protocol-r… Internet-Drafts
- SOI: preshared Michael Thomas
- SOI: identity protection and DOS Michael Thomas
- SOI: round tripiness Michael Thomas
- Re: SOI: preshared Henry Spencer
- Re: SOI: identity protection and DOS Paul Koning
- Re: SOI: identity protection and DOS Joern Sierwald
- Re: SOI: preshared Michael Thomas
- Re: SOI: preshared Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: preshared Paul Hoffman / VPNC
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: preshared Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Radia Perlman - Boston Center for Networking
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Arne Ansper
- Re: SOI: identity protection and DOS Sandy Harris
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: preshared Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: preshared DavidChenNH
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Richard Guy Briggs
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Paul Hoffman / VPNC
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Sara Bitan
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: SOI: identity protection and DOS Paul Hoffman / VPNC
- On shared keys (was RE: SOI: identity protection … Hugo Krawczyk
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: identity protection and DOS Alex Alten
- On shared keys (was RE: SOI: identity protection … Michael Thomas
- Re: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: On shared keys Ricky Charlet
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys (was RE: SOI: identity protect… Michael Thomas
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Steven M. Bellovin
- RE: On shared keys (was RE: SOI: identity protect… Andrew Krywaniuk
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Richard Guy Briggs
- Re: SOI: identity protection and DOS Arne Ansper
- Re: Gee, shared secrets suck (was: Re: SOI: ident… David Jablon
- Re: SOI: identity protection and DOS Arne Ansper
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS Henry Spencer
- RE: SOI: identity protection and DOS Paul Koning
- Gee, shared secrets suck (was: Re: SOI: identity … Joel Snyder
- Re: Gee, shared secrets suck (was: Re: SOI: ident… david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: On shared keys Tylor Allison
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Paul Koning
- RE: On shared keys (was RE: SOI: identity protect… Alex Alten
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS david chen
- RE: On shared keys (was RE: SOI: identity protect… Dilkie, Lee
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys Jari Arkko
- Re: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: On shared keys (was RE: SOI: identity protect… david chen
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys sami.vaarala
- Re: On shared keys (was RE: SOI: identity protect… Paul Koning
- Re: On shared keys Derek Atkins
- Re: On shared keys Henry Spencer
- Re: Gee, shared secrets suck (was: Re: SOI: ident… Arne Ansper
- Re: On shared keys Derek Atkins
- Re: On shared keys Arne Ansper
- RE: On shared keys Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Stephen Kent
- Re: On shared keys Sami Vaarala
- Re: On shared keys Sami Vaarala
- RE: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: On shared keys Derek Atkins
- Re: On shared keys Sami Vaarala
- Re: On shared keys (was RE: SOI: identity protect… Sandy Harris
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Khaja E. Ahmed
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- Re: On shared keys (was RE: SOI: identity protect… Sandy Harris
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: SOI: identity protection and DOS Hugo Krawczyk
- SA look up Jin Zhang
- RE: SA look up Li, Ruicong