[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: charter question re IKE changes

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: charter question re IKE changes
From: Frederic Detienne <fd@cisco.com>
Date: Mon, 16 Oct 2000 11:43:30 +0200
CC: ipsec@lists.tislabs.com
Organization: Cisco Systems, Inc
References: <200010131635.JAA26753@potassium.network-alchemy.com> <p05010328b60d332be619@[165.227.249.17]>
Sender: owner-ipsec@lists.tislabs.com

Paul Hoffman / VPNC wrote:
> 
> At 9:35 AM -0700 10/13/00, Dan Harkins wrote:
> >   The lack of people implementing good products should not be a
> >motivating factor in developing standards. If we all agree on
> >how it *could* work then let's promote that.
> 
> Of course. We should continue to promote certs and explain the
> security problems of preshared secrets. No one has said otherwise.
> The question is should we continue to allow the *use* of preshared
> secrets.

only through backward compatibility of old-IKE (i.e. when an old-IKE initiates).

> >   I think the market will follow a good solution.
> 
> So far, that has not been shown true in the IPsec market. The
> proposal to remove preshared secrets from son-of-IKE was made as a
> way to *force* people towards the better solution. Given that IKE
> will exist forever, it is unclear to me that removing preshared
> secrets from son-of-IKE will do anything to convince the users of
> preshared secrets to switch.

If they use pre-shared keys, it is because they do not understand how IKE/IPSec works. I agree with you: people will see no reason to move to son-of-IKE ; they will actually see it as a bad move because they do not have pre-shared anymore. But this is because son-of-IKE would bring nothing else than the hassle of switching.

I believe that son-of-IKE should get rid of pre-shared keys and aggressive mode (both for security reasons) but should also provide new market required features (at least, the most important ones) => users will switch on to son-of-IKE. Just cleaning the protocol is not enough to make people consider it. Who cares about a car consuming less if gas is cheap ? Make it more comfortable and safer will push people to upgrade.

Promoting son-of-IKE as more secure is a good start, adding necessary features will make the protocol more comfortable to deploy and users will move (e.g: remote-SPI-inexistant determination).

	frederic

> --Paul Hoffman, Director
> --VPN Consortium

-- 
------------------------- * oOo * -------------------------
                     Frederic Detienne
              Cisco Systems Escalation Engineer
                 Security & Network Services

                     Tel 32 2 704 55 55

References:

Re: charter question re IKE changes

From: Dan Harkins <dharkins@cips.nokia.com>

Re: charter question re IKE changes

From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: Getting focus for son-of-IKE
Next by Date: Re: Definition of PFS...
Prev by thread: RE: charter question re IKE changes
Next by thread: Re: charter question re IKE changes
Index(es):
- Main
- Thread