[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Please kill preshared key.




IKE is for "key exchange" and derives the key for IPsec SA.

Pre-shared key is for authentication in IKE SA.

I think you have confused Phase 1 pre-shared key authentication with a
pre-shared key IPsec SA (static key IPsec SA) which doesn't need key
management. :(.

-----Original Message-----
From: david chen [mailto:ietf_davidchen@hotmail.com] 
Sent: Thursday, December 06, 2001 5:30 PM
To: sommerfeld@east.sun.com; ipsec@lists.tislabs.com
Subject: Re: Please kill preshared key.


Agree,

IKE is for 'key exchange'.
It is *no* needs to change keys in pre-shared key mode.

In the pre-share key model, the two devices can just go directly to phase 2
of IPSec.

--- David




----- Original Message -----
From: "Bill Sommerfeld" <sommerfeld@east.sun.com>
To: <ipsec@lists.tislabs.com>
Sent: Thursday, December 06, 2001 1:47 PM
Subject: Please kill preshared key.


> Since there are people arguing to save preshared key, I just wanted to 
> reemphasize that:
>
>  0) it adds cryptographic complexity -- you essentially need a 
> different cryptographic protocol for PSK vs. signature keys.  Let's 
> spend the cycles of our cryptographers on more important stuff than 
> this.
>
>  1) it adds YET ONE MORE OPTION you need to test, one more knob you 
> can misconfigure.. more time for customers spent fumbling around 
> trying to figure out how to configure systems.
>
>  2) equivalent functionality can be found in preconfigured public keys 
> and/or self-signed certificates.
>
> There's no need for it, it adds complexity.  Kill it.
>
> - Bill
>


Follow-Ups: