I have noticed that
pre-shared key has been eliminated in the new key management protocol drafts. I
understand the urge to simplify the existing IKE protocol. However, I do think
that pre-shared key mode should be left as an option. There are a couple of
reasons for that suggestion:
1)
Simplicity
Pre-shared key mode
is simpler to support by eliminating the requirement of supporting complex PKI.
Without the pre-shared key mode, are we forcing ourselves into using PKI
system (assuming we are not using KINK)? If so, I would like to suggest
that the new IKE replacement draft authors add the PSK options. There are
many existing deployment of PSK based IPsec VPN and service
providers are happy to keep the way it is without using
PKI.
2)
Cost
Running PKI
requires additional resources and
increase the overall cost of VPN deployment for managed service providers, while
end customer sees no increased benefits. If a customer out-sources his VPN and
he only cares about site-to-site secure connection, he is probably
not willing to choose a more costly PKI based solution.
3)
Scalability
Although PKI does
provide a much better scalability in key delivery, for a managed VPN where each
device has a secure channel to the managing server, this advantage is less
important. PSK can be generated and provisioned to each box via the management
channel to the device easily for a managed VPN, along with other IPsec tunnel
parameter settings. Under such a centralized managed VPN, PSK based solution has
a good scalability.
We have implementations and operational experience that
show that an automated VPN management tool has no scalability difficulties
managing PSK for each tunnel. Therefore we believe that PSK is a viable
choice for VPN implementations and that PSK mode should be
saved.