Re: Please save the pre-shared key mode
Dan Harkins <dharkins@tibernian.com> Sat, 08 December 2001 00:21 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id fB80LX224140; Fri, 7 Dec 2001 16:21:34 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id SAA06826 Fri, 7 Dec 2001 18:46:09 -0500 (EST)
Message-Id: <200112072355.fB7NtsG01403@fatty.lounge.org>
To: Jan Vilhuber <vilhuber@cisco.com>
Cc: ipsec@lists.tislabs.com
Subject: Re: Please save the pre-shared key mode
In-Reply-To: Your message of "Fri, 07 Dec 2001 14:07:13 PST." <Pine.LNX.4.21.0112071405490.24375-100000@janpc-home.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1400.1007769354.1@tibernian.com>
Date: Fri, 07 Dec 2001 15:55:54 -0800
From: Dan Harkins <dharkins@tibernian.com>
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
IPSRA is doing a little bit more than legacy authentication support
but you do have a point. Doing as Ricky suggests will also obviate that
insecure hack that Marcus described today.
What we're telling people who want to do legacy authentication in a
standard way is that they have to do a 4-8 message exchange (depending
on whether you want DOS protection and your legacy authentication
token is not out of sync or in something like "Next Code Mode") and
establish an authenticated Diffie-Hellman secret which you promptly throw
away to do another 9-10 message exchange (IKEv1, phase 1 and phase 2 with
the optional commit bit set) or 3-4 message exchange (assuming whatever
the WG standardizes on for SOI looks something like what is being proposed
today) and establish another authenticated Diffie-Hellman secret and IPsec
SAs.
Protocol Initiator Responder Latency
------------------------------------------------
PIC+IKE 1 signature 2 signatures 6.5-9 RTT + 1-2 RTs to legacy server
2 verifies 1 verify
2 DH agree 2 DH agree
Worst case 22 messages, best case 14 messages, just to do legacy
authentication!? No wonder people are devising hacks around that.
For all the concern expressed over the number of roundtrips a protocol
has I'm surprised that no one has harped on that before.
Dan.
On Fri, 07 Dec 2001 14:07:13 PST you wrote
> On Thu, 6 Dec 2001, Ricky Charlet wrote:
>
> > Howdy,
> >
> > I'm moving my position from 'in favor' to 'neutral' on saving a
> > pre-shared key authentication mode. Its not PSK itself or even current
> > look alike PSK functionality I'd like to see saved. There is a new
> > feature I want to see added and that is interaction with legacy
> > authentication systems in support of remote access users ala
> > draft-ietf-ipsra-reqmts-04.txt.
>
> But then we should close down IPSRA, shouldn't we? Either we have IPSRA to
> take care of remote-access legacy methods, or we cancel that WG and fold the
> requirements back into the IPsec WG...
>
> jan
> --
> Jan Vilhuber vilhuber@cisco.com
> Cisco Systems, San Jose (408) 527-0847
>
- Please save the pre-shared key mode Wang, Cliff
- Re: Please save the pre-shared key mode Alex Alten
- Re: Please save the pre-shared key mode Henry Spencer
- Re: Please save the pre-shared key mode Sara Bitan
- RE: Please save the pre-shared key mode Alister Yap
- Re: Please save the pre-shared key mode Michael Thomas
- RE: Please save the pre-shared key mode Wang, Cliff
- RE: Please save the pre-shared key mode Michael Thomas
- RE: Please save the pre-shared key mode Wang, Cliff
- RE: Please save the pre-shared key mode Michael Choung Shieh
- Re: Please save the pre-shared key mode Dan McDonald
- Please kill preshared key. Bill Sommerfeld
- RE: Please save the pre-shared key mode Wang, Cliff
- RE: Please save the pre-shared key mode Paul Koning
- RE: Please kill preshared key. Joe MacLellan
- Please kill public key Jari Arkko
- RE: Please kill preshared key. Wang, Cliff
- Re: Please save the pre-shared key mode david chen
- Re: Please save the pre-shared key mode david chen
- Re: Please kill preshared key. david chen
- RE: Please save the pre-shared key mode Michael Thomas
- Re: Please kill preshared key. Scott Fluhrer
- Re: Please kill preshared key. Jan Vilhuber
- RE: Please save the pre-shared key mode Jan Vilhuber
- RE: Please save the pre-shared key mode Jan Vilhuber
- RE: Please save the pre-shared key mode Jan Vilhuber
- Re: Please kill preshared key. david chen
- Re: Please save the pre-shared key mode Ricky Charlet
- RE: Please save the pre-shared key mode Michael Choung Shieh
- Re: Please save the pre-shared key mode Steven M. Bellovin
- RE: Please kill preshared key. Wang, Cliff
- RE: Please save the pre-shared key mode Wang, Cliff
- RE: Please kill preshared key. Wang, Cliff
- Re: Please kill preshared key. Henry Spencer
- RE: Please save the pre-shared key mode Alex Alten
- Re: Please kill preshared key. Sara Bitan
- Re: Please kill preshared key. david chen
- RE: Please save the pre-shared key mode Wen-Chi (Alex) Wang
- RE: Please save the pre-shared key mode Alister Yap
- RE: Please kill preshared key. ryuan
- Re: Please kill preshared key. Marcus D. Leech
- Re: Please kill preshared key. david chen
- RE: Please save the pre-shared key mode Michael Thomas
- RE: Please kill preshared key. Jon Sjoberg x 158
- Re: Please kill preshared key. Dan Harkins
- RE: Please save the pre-shared key mode Henry Spencer
- RE: Please save the pre-shared key mode Wang, Cliff
- RE: Please save the pre-shared key mode Michael Choung Shieh
- Re: Please save the pre-shared key mode Dan Harkins
- RE: Please save the pre-shared key mode Henry Spencer
- RE: Please save the pre-shared key mode Jan Vilhuber
- Re: Please kill preshared key. Henry Spencer
- Re: Please save the pre-shared key mode Michael Thomas
- Re: Please save the pre-shared key mode Michael Thomas
- Re: Please save the pre-shared key mode Dan Harkins
- RE: Please save the pre-shared key mode Henry Spencer
- RE: Please save the pre-shared key mode Wang, Cliff
- RE: Please save the pre-shared key mode Michael Choung Shieh
- Re: Please save the pre-shared key mode Steven M. Bellovin
- RE: Please save the pre-shared key mode Jan Vilhuber
- RE: Please save the pre-shared key mode Tylor Allison
- RE: Please save the pre-shared key mode Henry Spencer
- RE: Please save the pre-shared key mode Wang, Cliff
- RE: Please save the pre-shared key mode Henry Spencer
- RE: Please save the pre-shared key mode Jan Vilhuber
- RE: Please save the pre-shared key mode Henry Spencer
- Re: Please save the pre-shared key mode Henry Spencer
- RE: Please save the pre-shared key mode Wang, Cliff
- RE: Please save the pre-shared key mode Henry Spencer
- RE: Please save the pre-shared key mode Wang, Cliff
- Re: Please save the pre-shared key mode Jan Vilhuber
- RE: Please save the pre-shared key mode Jan Vilhuber
- RE: Please save the pre-shared key mode Michael Choung Shieh
- Re: Please save the pre-shared key mode Dan Harkins
- Re: Please save the pre-shared key mode Ricky Charlet
- Re: Please save the pre-shared key mode Jan Vilhuber
- Re: Please kill preshared key. david chen
- Re: Please save the pre-shared key mode david chen
- RE: Please save the pre-shared key mode Alex Alten
- RE: Please save the pre-shared key mode Alex Alten
- RE: Please save the pre-shared key mode Jan Vilhuber
- RE: Please save the pre-shared key mode Jan Vilhuber
- Re: Please save the pre-shared key mode Sandy Harris
- RE: Please save the pre-shared key mode Henry Spencer
- Re: Please kill preshared key. Henry Spencer
- RE: Please save the pre-shared key mode Henry Spencer
- Re: Please kill preshared key. david chen
- Re: Please save the pre-shared key mode Markus Friedl
- RE: Please save the pre-shared key mode Paul Koning
- RE: Please save the pre-shared key mode Henry Spencer
- Re: Please save the pre-shared key mode Paul Koning