[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On shared keys



On Tue, 27 Nov 2001, Ricky Charlet wrote:

> 	But, I would like to make the point (as others have) that a PSK
> authentication system which can easily interact with popular back-end
> authentication servers and will not tie the peers down to
> pre-configured, known IP addresses would be a highly usable and popular
> protocol as it would conviently address a great need. IMHO, such an
> authentication method is in more demand than a PK authentication method
> even though the PK authentication could scale larger.
>
> 	Next generation IKEers have all set about the goals of reducing
> complexity and setup cost. But I would also request (and here starts a
> new war) that the authors of IKE replacement protocols also consider
> taking on the goals set forth in the ipsra WG
> (draft-ietf-ipsra-reqmts-04.txt) but with the ability to 'change IKE'.
>
> 	I think that we should do a PSK authentication method because it would
> be useful.

I agree with you Ricky ...  IMO, if we leave out PSK authentication from
SOI, then we are not addressing the needs of the marketplace.  First, as
others have pointed out, for site-to-site VPNs, PSK seems to be the
de-facto standard.  Why?  Because they are simple to setup/manage and they
work (interoperable implementations).  Can the new SOI standard be used to
accommodate these users?  To me there seems to be a conflict between
requirements of SOI to scale, but yet be simple to use in single
site-to-site setups.  I'm not sure if a single SOI authentication mechanism
can be found which will meet both of these requirements.

And back to Ricky's point of merging the IPSRA work into SOI; modifying IKE
to accommodate remote access requirements.  This really isn't a new war, and
its too frustrating for me to get into in depth.  It's clear that there is
a large market out there which has invested in PSK or token-based
authentication.  It's clear that whatever we come up with better take this
into account.  The real question is how to make it all work together.
I'll contend that the easiest way to do this is to address the remote
access requirements within IKE/SOI.  Others say that separate protocols should
be used as "building blocks" to achieve this.  I can't help seeing these
separate protocols as workarounds for deficiencies in the original design
of IKE, and adding complexity to the overall solution we are presenting to
our customers.  If we're given the chance to start again (maybe that's
really not true), why not attempt to reconcile with the new IPSRA
requirements in SOI?  I'd hate to see us make the same mistakes twice.

=====================================================================
= Tylor Allison         Secure Computing Corporation        =========
= phone: 651.628.1554   e-mail: allison@securecomputing.com =========
=====================================================================




Follow-Ups: References: