Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)

"Kaz Kobara" <kobara_conf@m.aist.go.jp> Sun, 28 March 2010 12:06 UTC

Return-Path: <kobara_conf@m.aist.go.jp>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 724A23A6864 for <ipsec@core3.amsl.com>; Sun, 28 Mar 2010 05:06:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.665
X-Spam-Level: *
X-Spam-Status: No, score=1.665 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YiM0YKGoFCsX for <ipsec@core3.amsl.com>; Sun, 28 Mar 2010 05:06:25 -0700 (PDT)
Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by core3.amsl.com (Postfix) with ESMTP id 2330F3A67F2 for <ipsec@ietf.org>; Sun, 28 Mar 2010 05:06:24 -0700 (PDT)
Received: from rqsmtp1.aist.go.jp (rqsmtp1.aist.go.jp [150.29.254.115]) by mx1.aist.go.jp with ESMTP id o2SC6nlo017632 for <ipsec@ietf.org>; Sun, 28 Mar 2010 21:06:49 +0900 (JST) env-from (kobara_conf@m.aist.go.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=m.aist.go.jp; s=aist; t=1269778009; bh=ZVaIQrSCedpN6dhzTFebuBQbAC6HBZ9/V4uKoiId7Lk=; h=From:Date:Message-ID; b=hygzJHJ0M8rrPYxH6VGEb2vznreO1z7JurkGzMyMmRCQVQuqMmOQBeysJmlGzzHNI NnCr4/xFuPaDj/hMLnYlQ0EjaC1EgJdVgEzjJRNUCiR/tHtPEf+3mnAydZYL8xD6Kn K6YfatuZap8kDcRn8wc7LXjwzedDUNb+HO9xdxS8=
Received: from smtp3.aist.go.jp by rqsmtp1.aist.go.jp with ESMTP id o2SC6mrZ009178 for <ipsec@ietf.org>; Sun, 28 Mar 2010 21:06:48 +0900 (JST) env-from (kobara_conf@m.aist.go.jp)
Received: by smtp3.aist.go.jp with ESMTP id o2SC6hgx002946 for <ipsec@ietf.org>; Sun, 28 Mar 2010 21:06:47 +0900 (JST) env-from (kobara_conf@m.aist.go.jp)
From: "Kaz Kobara" <kobara_conf@m.aist.go.jp>
To: <ipsec@ietf.org>
References: <015701cacc74$9b0f3c20$d12db460$@aist.go.jp> <4BAC4283.9010002@gmail.com> <018001cacd04$d59efc50$80dcf4f0$@aist.go.jp> <4BAE10BC.7090401@gmail.com> <001001cacdd7$557f0190$007d04b0$@aist.go.jp> <3b12564381bb3d1b9eea9b3276a68487.squirrel@www.trepanning.net> <001801cace41$98e87e10$cab97a30$@aist.go.jp> <4BAF1610.8050004@gmail.com>
In-Reply-To: <4BAF1610.8050004@gmail.com>
Date: Sun, 28 Mar 2010 21:06:43 +0900
Message-ID: <000301cace6f$24b23170$6e169450$@aist.go.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcrOUlfZ2wZitPfTSwWVs+GYOp7O2QAGRoWw
Content-Language: ja
Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Mar 2010 12:06:26 -0000

Hi Yaron,

I see. 
Your "client-gateway" means "client-gateway-AAA". 

OK, now we can go back to the title.

Why don't you make it more specific, like
"Password-Based Authentication between Gateways in IKEv2: Selection Criteria
and Comparison" or something like that?

This is really what you want to do, I bet.

Regards,
Kaz

> -----Original Message-----
> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
> Sent: Sunday, March 28, 2010 5:41 PM
> To: Kaz Kobara
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
> 
> Hi Kaz,
> 
> Most of the WG members are aware of the whole picture:
> 
> - The standard is clear that PSK must not be used with passwords.
> - The standard contains a good solution for the client-gateway case,
> which is already widely implemented, namely EAP. EAP is implemented by
> many AAA servers, is available on endpoints and simple to integrate into
> gateways, and is therefore the best way to set up a remote access
> solution if you have more than, say, 5 users.
> - Having two ways to do the same thing (e.g. IKE+EAP with a mutual auth
> method, and IKEv2 with the new proposed mode) is bad for
> interoperability and ultimately, for the success of the standard.
> 
> Thanks,
> 	Yaron
> 
> On 28.3.2010 9:40, Kaz Kobara wrote:
> >>    So is there a reason you don't want to fix this "between clients
> >> and gateways"?
> >
> > (As most of this WG members have already noticed)
> > PSK in IKE is foolish in the sense that it is vulnerable against
off-line
> > dictionary attack while using heavy DH calculation.
> >
> > There is no reason not to fix this foolish PSK (regardless of "between
> > gateways" and "between clients and gateways".)
> >
> > Kaz
> >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec