[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Please save the pre-shared key mode
I agree. User won't care if it's pre-shared or public-key system as long as
they can easily configure it and make it work.
However, I wonder if we can really make it as easy as PSK. IKEv1 has all
the options of preshare symmetric vs. public-key but most admin just use
PSK. self-signed cert won't work in a typical use case where system admin
configures vpn then sends config to remote users. He will need to send them
in clear or PKCS12.
Before we dump PSK, can someone propose a way to deal with public key system
other than PKI? I think we should examine the process before claiming PSK
is dead.
the claim of adding complexity or option is not a valid statement. After
all PSK is most popular auth methold and comparably simple. The claim is
beter suited for PKI(any objection?), but I won't complain about it since it
provide my job security.
--------------------------------------------
Michael Shieh
--------------------------------------------
-----Original Message-----
From: Jan Vilhuber [mailto:vilhuber@cisco.com]
Sent: Thursday, December 06, 2001 3:37 PM
To: Michael Choung Shieh
Cc: 'Wang, Cliff'; 'Michael Thomas'; Alex Alten; ipsec@lists.tislabs.com
Subject: RE: Please save the pre-shared key mode
On Thu, 6 Dec 2001, Michael Choung Shieh wrote:
>
> >From our experience more than 80% of VPN users are using PSK.
That's fine. For a user-interface, you can make a public-key system look
EXACTLY like a pre-shared symmetric key system (maybe not exactly, but at
least as simple).
jan
> While we are
> developing a standard to replace IKE v1, let's not leave the existing
users
> behind. Although we may give many reasons that PKI provides more security
> and scalability, it's (relatively) easy config of PSK bring IKE to wide
> adoption.
>
> --------------------------------------------
> Michael Shieh
> NetScreen Technologies, Inc
> --------------------------------------------
>
> -----Original Message-----
> From: Wang, Cliff [mailto:CWang@smartpipes.com]
> Sent: Thursday, December 06, 2001 9:57 AM
> To: 'Michael Thomas'; Alex Alten
> Cc: Wang, Cliff; ipsec@lists.tislabs.com
> Subject: RE: Please save the pre-shared key mode
>
>
> Very simple reasons,
>
> IKEv1 is going to be replaced by IKEv2 in the future and KINK has yet to
be
> standardized and it is not going to replace IKE. On the other hand, adding
> PSK support in IKEv2 is not an overkill, but provides much more
> flexibilities and more choices for service providers.
>
> -----Original Message-----
> From: Michael Thomas [mailto:mat@cisco.com]
> Sent: Thursday, December 06, 2001 12:43 PM
> To: Alex Alten
> Cc: Wang, Cliff; ipsec@lists.tislabs.com
> Subject: Re: Please save the pre-shared key mode
>
>
> Alex Alten writes:
> >
> > I *strongly* 2nd this motion. It would be extremely foolish > to
> eliminate PSK support. Foolish in this case translates into > lots of
> extra expensive hardware, etc., for our poor customers.
>
> There are already two choices for keying IPsec SA's
> with pre-shared keys with IETF protocols:
>
> 1) IKEv1
> 2) KINK
>
> The latter can be used peer-peer as well, and
> fixes many of the problems with (1). Why then
> do we need to have yet another?
>
> Mike
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups: