[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Please save the pre-shared key mode
>From the operation point of view, PSK is quick and easy to set up service.
It works and customers are happy. It is more real than a myth.
-----Original Message-----
From: Jan Vilhuber [mailto:vilhuber@cisco.com]
Sent: Thursday, December 06, 2001 6:39 PM
To: Wang, Cliff
Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
Subject: RE: Please save the pre-shared key mode
> On the
> other hand, PSK based IKE and PKI based IKE has been the main way people
> deploying VPN. Under that context, PSK is simpler to run than PKI.
>
I think that's the myth Dan was talking about.
jan
>
> -----Original Message-----
> From: Dan McDonald [mailto:danmcd@east.sun.com]
> Sent: Thursday, December 06, 2001 1:28 PM
> To: Wang, Cliff
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Please save the pre-shared key mode
>
>
> > 1) Simplicity
> > Pre-shared key mode is simpler to support by eliminating the
> > requirement of supporting complex PKI.
>
> It's a myth that public-key implies you MUST have a PKI.
>
> Self-signed certs combined with explicit out-of-band trust models is
> just a non-cumbersome as pre-shared keys, IMHO, and they also offer
> IP-address-portability. (Henry Spencer, correct me if I'm wrong, but
> FreeSWAN has a self-signed cert model that works, right?)
>
> If we keep pre-shared, let's have a scalable way of identifying them.
> In a multi-homed world (esp. IPv6), pre-shared keys indexed by address
> pairs is as much hassle as PKI registration (it's just less snake-oil
> than most PKIs ;).
>
> For testing, I run server machines with self-signed certs. For small
> (10-100) numbers of clients, it works out _quite_ nicely, and w/o any
> of the PKI cruft. Peer-to-peer explosions is about the only case
> where PKI is really needed, and pre-shared won't help you any there
> either. It's just a matter of running certificate-generation, e-mail,
> and verifying hashes out-of-band.
>
> I'm not totally against nuking pre-shared. It's not, however, the
> panacea of simplicity many think it is, and simplicity arguments don't
> hold water.
>
> Dan
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups: