IETF Logo Mail Archive

Re: [IPsec] Proposed work item: IKEv2 password authentication (SPSK) - NO

Matthew Cini Sarreo <mcins1@gmail.com> Tue, 01 December 2009 07:11 UTC

Return-Path: <mcins1@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B02828C1B4 for <ipsec@core3.amsl.com>; Mon, 30 Nov 2009 23:11:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gmh4E-cIHm2 for <ipsec@core3.amsl.com>; Mon, 30 Nov 2009 23:11:25 -0800 (PST)
Received: from mail-yx0-f192.google.com (mail-yx0-f192.google.com [209.85.210.192]) by core3.amsl.com (Postfix) with ESMTP id 359433A6B07 for <ipsec@ietf.org>; Mon, 30 Nov 2009 23:11:25 -0800 (PST)
Received: by yxe30 with SMTP id 30so9832141yxe.29 for <ipsec@ietf.org>; Mon, 30 Nov 2009 23:11:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=13P5G94YxZdPlFWWTY4nr+hppF7y0P2nMme0VvWpd3I=; b=c232I/+WKslOv6PwHLzmKcCP8YjVe4bIAw6+0jq/padQHMGirOxld7C3sQkuSYcyvz Oin/P9MFN0qs4mMkewJwKlo4q5+PAUU/Y46dhd1FQLYPGtyAEdmcEYdN5skzWdlOOe0M y/bmTFKSDbcVXNq/gq4VnWwlJK6AD73lG7Y64=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=c8dBbB6861juj/QHNs0cQ23EXMMShPjAwyocfj7PWbv6S3vJeM4mBtFYMbmhkWBaZQ 5kdEn+47EMxhE/uPDofPTa3jiSkKVKiMY28SbToe9xomeblxdO3FEhso2sOmSAtiBMRt 6XGsPHxkbwEDJep+eMxQXR9NiM/FGhTr45wIY=
MIME-Version: 1.0
Received: by 10.90.37.37 with SMTP id k37mr7725276agk.64.1259651473089; Mon, 30 Nov 2009 23:11:13 -0800 (PST)
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88E06DD@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88E04F2@il-ex01.ad.checkpoint.com> <a70eac2cf1d8cc1b743fb05aadf791b9.squirrel@www.trepanning.net> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88E06DD@il-ex01.ad.checkpoint.com>
From: Matthew Cini Sarreo <mcins1@gmail.com>
Date: Tue, 01 Dec 2009 08:10:53 +0100
Message-ID: <99043b4a0911302310v7f2edf00l8d210b1d1e7d14a8@mail.gmail.com>
To: Yaron Sheffer <yaronf@checkpoint.com>, ipsec@ietf.org
Content-Type: multipart/alternative; boundary="0016362835829824530479a576e3"
Subject: Re: [IPsec] Proposed work item: IKEv2 password authentication (SPSK) - NO
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 07:11:27 -0000

>From a developer point of view, I share the same opinion as Yaron about this
issue. Instead of creating new solutions, I personally think that it would
be better to offer guidlines on how to implement current solutions (i.e EAP)
and provide documents targeting implementers. This would create less
confusion and keep IKEv2 a clean, easy to understand and use protocol.

Regards,
Matthew

2009/12/1 Yaron Sheffer <yaronf@checkpoint.com>

> Hi everyone,
>
> [WG co-chair hat off]
>
> I believe this effort is misguided, and would be a waste of the WG time.
>
> EAP was added to IKEv2 to provide "legacy" (a.k.a. password)
> authentication. In the past it did not do it very well, but this is
> changing. We should improve the use of EAP in IKEv2, rather than replacing
> it by a homebrew solution.
>
> Specifically, the following EAP methods can be used today (or in the near
> future) for mutual password-based auth:
>
> - Dan's own EAP-PWD,
> http://tools.ietf.org/html/draft-harkins-emu-eap-pwd-12
> - My EAP-EKE, http://tools.ietf.org/html/draft-sheffer-emu-eap-eke-03
> - The long expired EAP-SRP,
> http://tools.ietf.org/html/draft-ietf-pppext-eap-srp-03
> - A rumored EAP method based on the PAK protocol (
> http://tools.ietf.org/html/draft-brusilovsky-pak-10)
>
> Embedding one of these methods as the single way to do mutual auth in IKE
> simply doesn't make sense.
>
> In addition, SPSK (which is equivalent to EAP-PWD) is a novel crypto
> protocol. It has had by far the least crypto review than the other three
> protocols. IMHO, this working group should NOT be developing new
> cryptographic protocols. This is not where our expertise lies.
>
> Lastly, one of the major criticisms with IKEv1 was the number of protocol
> modes. And here we are, with a proposal to add another mode to IKEv2.
> Doesn't seem like a good idea to me.
>
> Thanks,
>        Yaron
>
>
> > -----Original Message-----
> > From: Dan Harkins [mailto:dharkins@lounge.org]
> > Sent: Tuesday, December 01, 2009 1:35
> > To: Yaron Sheffer
> > Cc: ipsec@ietf.org
> > Subject: Re: [IPsec] Proposed work item: IKEv2 password authentication
> > (SPSK)
> >
> >
> >   Hello,
> >
> >   As can be inferred by my previous posting on EAP-only authentication,
> > I favor this particular method for mutual authentication.
> >
> >   I believe this is a general purpose exchange, useful for more than the
> > narrow focus of EAP-only, does not require extraneous encapsulations or
> > unnecessary code (ala EAP-only), and is secure regardless of its use
> > (unlike EAP-only).
> >
> >   I am committed to working on this as a WG work item. I agree to
> continue
> > contributing to the text and (co-)authoring the text. I solicit help, and
> > support, from those who are interested in this task.
> >
> >   regards,
> >
> >   Dan.
> >
> > On Sun, November 29, 2009 9:20 am, Yaron Sheffer wrote:
> > > This draft proposes a particular method for mutual authentication of
> > IKEv2
> > > peers using a short, low quality shared secret (a.k.a. "password"). The
> > > proposal is to embed this method in the IKE exchange, rather than use
> > EAP.
> > >
> > > Proposed starting point:
> > > http://tools.ietf.org/id/draft-harkins-ipsecme-spsk-auth-00.txt.
> > >
> > > Please reply to the list:
> > >
> > > - If this proposal is accepted as a WG work item, are you committing to
> > > review multiple versions of the draft?
> > > - Are you willing to contribute text to the draft?
> > > - Would you like to co-author it?
> > >
> > > Please also reply to the list if:
> > >
> > > - You believe this is NOT a reasonable activity for the WG to spend
> time
> > > on.
> > >
> > > If this is the case, please explain your position. Do not explore the
> > fine
> > > technical details (which will change anyway, once the WG gets hold of
> > the
> > > draft); instead explain why this is uninteresting for the WG or for the
> > > industry at large. Also, please mark the title clearly (e.g. "DES40-
> > export
> > > in IPsec - NO!").
> > > _______________________________________________
> > > IPsec mailing list
> > > IPsec@ietf.org
> > > https://www.ietf.org/mailman/listinfo/ipsec
> > >
> >
> >
> >
> > Scanned by Check Point Total Security Gateway.
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email