[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reliable delete notifies
What are your arguments (scale, performance, reliability, security) against
preshared-key authentication when using the IPSec protocol? Many who don't
have access to an operational PKI and significant numbers of IPSec devices
to worry about are hanging on to preshared keys. Should they be worried
other than with scale issues?
Ron Plummer
At 11:10 PM 10/8/00, you wrote:
>[snip]
> > I'm doing this work for the Working Group and I can't just
> >unilaterally declare that Aggressive Mode is out. I was
> >noting that it's out of my drafty-draft. If the Working Group
> >wants Aggressive Mode in the protocol then it is in. So let's
> >start a discussion. Does the Working Group want to keep
> >Aggressive Mode? Is Aggressive Mode "standards bloat" or
> >is it a necessary addition to do what Ben wants to do?
>
>I would in fact argue for removal of preshared-key authentication; it was
>useful for debugging or for very simple setups, but the protocol complexity
>introduced both directly (because of the need to support 2 or 3 auth methods)
>and indirectly (encourages addition of other authentication mechanisms) are
>simply not worth it.
>
>Ways to retrieve certificates (or have temporary certificates issued, after
>using XYZ authentication) are known, simple, and well-understood.
>-Angelos
--
Ron Plummer
Senior Consultant/Engineer
Project Manager
Professional Services
Telcordia Technologies, Inc.
An SAIC Company
3 Corporate Place
Piscataway, NJ 08854
(732) 699-6312 (Voice) (732) 699-4432 (FAX)
(609) 203-4825 (Mobile)
rplummer@telcordia.com
rjp_pager@sahana.cc.telcordia.com (pager)
PGP Fingerprint: 8508 2EFB C11D 013E 231B 5D10 D644 7DC6 53EE 60C3
References: