[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: charter question re IKE changes
Paul Hoffman / VPNC wrote:
>
> At 9:35 AM -0700 10/13/00, Dan Harkins wrote:
> > The lack of people implementing good products should not be a
> >motivating factor in developing standards. If we all agree on
> >how it *could* work then let's promote that.
>
> Of course. We should continue to promote certs and explain the
> security problems of preshared secrets. No one has said otherwise.
> The question is should we continue to allow the *use* of preshared
> secrets.
only through backward compatibility of old-IKE (i.e. when an old-IKE initiates).
> > I think the market will follow a good solution.
>
> So far, that has not been shown true in the IPsec market. The
> proposal to remove preshared secrets from son-of-IKE was made as a
> way to *force* people towards the better solution. Given that IKE
> will exist forever, it is unclear to me that removing preshared
> secrets from son-of-IKE will do anything to convince the users of
> preshared secrets to switch.
If they use pre-shared keys, it is because they do not understand how IKE/IPSec works. I agree with you: people will see no reason to move to son-of-IKE ; they will actually see it as a bad move because they do not have pre-shared anymore. But this is because son-of-IKE would bring nothing else than the hassle of switching.
I believe that son-of-IKE should get rid of pre-shared keys and aggressive mode (both for security reasons) but should also provide new market required features (at least, the most important ones) => users will switch on to son-of-IKE. Just cleaning the protocol is not enough to make people consider it. Who cares about a car consuming less if gas is cheap ? Make it more comfortable and safer will push people to upgrade.
Promoting son-of-IKE as more secure is a good start, adding necessary features will make the protocol more comfortable to deploy and users will move (e.g: remote-SPI-inexistant determination).
frederic
> --Paul Hoffman, Director
> --VPN Consortium
--
------------------------- * oOo * -------------------------
Frederic Detienne
Cisco Systems Escalation Engineer
Security & Network Services
Tel 32 2 704 55 55
References: