[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt

To: suresh@livingston.com, dharkins@cisco.com
Subject: Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt
From: Shawn_Mamros@BayNetworks.COM (Shawn Mamros)
Date: Tue, 28 Jul 1998 14:40:59 -0400
Cc: iesg@ietf.org, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

I hope the IESG does not mind if I add my two cents to this discussion,
but since my name was mentioned...

Yes, way back when, in March 1997, I did voice some concerns about the
changes made at the time as to how key material is derived when using
pre-shared key authentication in Main Mode.  And, if one examines the
ipsec mailing list traffic at the time, those concerns were addressed
by the addition of a new identification type (ID_KEY_ID) to the DOI
draft (draft-ietf-ipsec-ipsec-doi-10.txt).  The use of ID_KEY_ID,
coupled with Aggressive Mode, allows one to use pre-shared key
authentication for identities other than IP addresses, without having
to reveal the "true" identities in the clear.  This mode of operation
does work, and there are implementations out there which make use of
this capability.

Main Mode using pre-shared keys also works, perhaps for a slightly
restricted set of circumstances, but it does in fact work, as has
been demonstrated on numerous occasions for a variety of applications.
If one requires a mode of operation which cannot be supported by Main
Mode and pre-shared keys, then one can use either a different authenticaion
type (digital signatures, etc.), or use Aggressive Mode, both of which are
defined in the current drafts.  The fact that neither Aggressive Mode nor
the other authentication types are MUSTs should not be a hindrance.  There
are, for example, Telnet options which are not mandatory, yet which no self-
respecting modern Telnet implementation would think of doing without.  The
same should hold true for Aggressive Mode in IKE and the other authentication
options - if one needs them, one should implement them; if not, one can do
without them.

The current round of IPsec drafts have been delayed long enough.  To delay
them further would be a grave disservice to the Internet community.  To make
drastic changes at this late date - particularly when different vendors have
demonstrated interoperability using the existing drafts, and are fielding
successful products based on them - would be an atrocity.

-Shawn Mamros
E-mail to: smamros@BayNetworks.com

Follow-Ups:

Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt

From: suresh@livingston.com (Pyda Srisuresh)

Prev by Date: Re: key processing for manual and dynamic SA
Next by Date: Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt
Prev by thread: RE: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt
Next by thread: Re: IKE drfat - draft-ietf-ipsec-isakmp-oakley-08.txt
Index(es):
- Main
- Thread