Re: On shared keys

[Jari Arkko <jari.arkko@kolumbus.fi>]

Tylor wrote:


> And back to Ricky's point of merging the IPSRA work into SOI; modifying IKE
> to accommodate remote access requirements.  This really isn't a new war, and
> its too frustrating for me to get into in depth.  It's clear that there is
> a large market out there which has invested in PSK or token-based
> authentication.  It's clear that whatever we come up with better take this
> into account.  The real question is how to make it all work together.
> I'll contend that the easiest way to do this is to address the remote
> access requirements within IKE/SOI.  Others say that separate protocols should
> be used as "building blocks" to achieve this.  I can't help seeing these
> separate protocols as workarounds for deficiencies in the original design
> of IKE, and adding complexity to the overall solution we are presenting to
> our customers.  If we're given the chance to start again (maybe that's
> really not true), why not attempt to reconcile with the new IPSRA
> requirements in SOI?  I'd hate to see us make the same mistakes twice.


The separation of essential functions to "building blocks" maybe
useful in terms of making it easier to prove security. But it also
adds RTTs for low-bandiwdth high-delay users, making all this not so
good for folks accessing through cellular networks. Yes you may only
have to do it now and then, but still. Seems like awful lot of complexity,
if real application is in any case through some sort of shared secrets.

Jari

---

References:

• Re: On shared keys
• From: Tylor Allison <allison@securecomputing.com>

---

• Prev by Date: Re: On shared keys (was RE: SOI: identity protection and DOS)
• Next by Date: RE: On shared keys (was RE: SOI: identity protection and DOS)
• Prev by thread: Re: On shared keys
• Next by thread: RE: On shared keys
• Index(es):
  • Main
  • Thread