[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please save the pre-shared key mode

To: "Wang, Cliff" <CWang@smartpipes.com>, ipsec@lists.tislabs.com
Subject: Re: Please save the pre-shared key mode
From: Alex Alten <Alten@netvista.net>
Date: Wed, 05 Dec 2001 19:20:48 -0800
In-Reply-To: <4652644B98DFF34696801F8F3070D3FE011884A2@D2CSPEXM001.smartpipes.com>
Sender: owner-ipsec@lists.tislabs.com

I *strongly* 2nd this motion.  It would be extremely foolish
to eliminate PSK support.  Foolish in this case translates into
lots of extra expensive hardware, etc., for our poor customers.

Of course software can handle the complexity of key distribution,
thus eliminating the supposed advantage of PK v.s. PSK.

Cliff, you need to understand the reason why PK is so popular
with the IP crowd here.  Basically most of the older, influencial
developers/architects are very pro-privacy. They grew up in the 60's
and 70's during the height of the US Vietnam anti-war protests.
PK really fits into their group-think philosphy of distrusting the
government or whatever (dispite the fact that in the US, Europe and
Japan most governments are very representative of the people).

Unfortunately for them, in the real world, IP routing layer 
infrastructure is owned by corporate or governmental organizations, 
not by individuals.  Therefore privacy is being granted by the 
organization to the individual in order to use and access network 
resources owned by that organization.  PK does *not* fit this model
very well.  After all why does an individual need generate a private
key to access an organization's computers?  Might as well just hand
him the private key, therefore PSK works just as well.

The pity is that this heavy bias toward PK then blinds these guys
and gals to the real problems with PK, primarily that it is **dog
slow**, and tends to expand things (to the modulus size) thus making
it a pain-in-the-ass to stick into a protocol (especially one that 
has to go over a slow, noisy wireless link).  Basically PK is
the crypto world's equivalent of the networking world's ASN.1.
It will be with us always whether we like it or not. Ugh.

BTW, AtHome made it very clear to me recently that I (or my ISP ATT/TCI)
had absolutely no rights to their network computers (like my email inbox
on one of their servers).  A rather clear demonstration of the fact
that my network access is a privilege granted by an organization (in
exchange for money in this case), not a right.  Therefore using PK for
it's secret private key advantage is rather useless.  AtHome would 
have cared less if I used PK or PSK with a VPN to access their email
server.

- Alex

At 08:27 PM 12/5/2001 -0000, Wang, Cliff wrote:
> 
>   
> I have noticed that pre-shared key has been eliminated in the
> new key management protocol drafts. I understand the urge to
> simplify the existing IKE protocol. However, I do think that
> pre-shared key mode should be left as an option. There are a
> couple of reasons for that suggestion:
>  
> 1) Simplicity
> Pre-shared key mode is simpler to support by eliminating the
> requirement of supporting complex PKI. Without the pre-shared
> key mode, are we forcing ourselves into using PKI system
> (assuming we are not using KINK)? If so, I would like to suggest
> that the new IKE replacement draft authors add the PSK options.
> There are many existing deployment of PSK based IPsec VPN and
> service providers are happy to keep the way it is without using
> PKI.
>  
> 2) Cost
> Running PKI requires additional resources and increase the overall
> cost of VPN deployment for managed service providers, while end
> customer sees no increased benefits. If a customer out-sources his
> VPN and he only cares about site-to-site secure connection, he is
> probably not willing to choose a more costly PKI based solution. 
>  
> 3) Scalability
> Although PKI does provide a much better scalability in key delivery,
> for a managed VPN where each device has a secure channel to the
> managing server, this advantage is less important. PSK can be generated
> and provisioned to each box via the management channel to the device
> easily for a managed VPN, along with other IPsec tunnel parameter
> settings. Under such a centralized managed VPN, PSK based solution has
> a good scalability.
>   
> We have implementations and operational experience that show that an
> automated VPN management tool has no scalability difficulties managing
> PSK for each tunnel.  Therefore we believe that PSK is a viable choice
> for VPN implementations and that PSK mode should be saved.

--

Alex Alten
Alten@Home.Com

Follow-Ups:

Re: Please save the pre-shared key mode

From: Henry Spencer <henry@spsystems.net>

Re: Please save the pre-shared key mode

From: Sara Bitan <sarab@cs.Technion.AC.IL>

Re: Please save the pre-shared key mode

From: Michael Thomas <mat@cisco.com>

Re: Please save the pre-shared key mode

From: "david chen" <ietf_davidchen@hotmail.com>

References:

Please save the pre-shared key mode

From: "Wang, Cliff" <CWang@smartpipes.com>

Prev by Date: Re: discussion of SIGMA-IKE
Next by Date: Re: Please save the pre-shared key mode
Prev by thread: Please save the pre-shared key mode
Next by thread: Re: Please save the pre-shared key mode
Index(es):
- Main
- Thread