[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Please save the pre-shared key mode
It's more than just complexity of configuring keys. It's also about
speed of authentication. Not everyone is using hw cypto chip accelerators
to do it. Not everyone has fast CPU's to do it. In my mind PSK should
be the 1st choice, with PK the 2nd, optional choice. And don't respond
with the usual bull about scalability, that doesn't cut any ice.
- Alex
At 05:13 PM 12/6/2001 -0800, Michael Choung Shieh wrote:
>
>I agree. User won't care if it's pre-shared or public-key system as long as
>they can easily configure it and make it work.
>
>However, I wonder if we can really make it as easy as PSK. IKEv1 has all
>the options of preshare symmetric vs. public-key but most admin just use
>PSK. self-signed cert won't work in a typical use case where system admin
>configures vpn then sends config to remote users. He will need to send them
>in clear or PKCS12.
>
>Before we dump PSK, can someone propose a way to deal with public key system
>other than PKI? I think we should examine the process before claiming PSK
>is dead.
>
>the claim of adding complexity or option is not a valid statement. After
>all PSK is most popular auth methold and comparably simple. The claim is
>beter suited for PKI(any objection?), but I won't complain about it since it
>provide my job security.
>
>--------------------------------------------
>Michael Shieh
>--------------------------------------------
>
>-----Original Message-----
>From: Jan Vilhuber [mailto:vilhuber@cisco.com]
>Sent: Thursday, December 06, 2001 3:37 PM
>To: Michael Choung Shieh
>Cc: 'Wang, Cliff'; 'Michael Thomas'; Alex Alten; ipsec@lists.tislabs.com
>Subject: RE: Please save the pre-shared key mode
>
>
>On Thu, 6 Dec 2001, Michael Choung Shieh wrote:
>
>>
>> >From our experience more than 80% of VPN users are using PSK.
>
>That's fine. For a user-interface, you can make a public-key system look
>EXACTLY like a pre-shared symmetric key system (maybe not exactly, but at
>least as simple).
>
>jan
>
>
>> While we are
>> developing a standard to replace IKE v1, let's not leave the existing
>users
>> behind. Although we may give many reasons that PKI provides more security
>> and scalability, it's (relatively) easy config of PSK bring IKE to wide
>> adoption.
>>
>> --------------------------------------------
>> Michael Shieh
>> NetScreen Technologies, Inc
>> --------------------------------------------
>>
>> -----Original Message-----
>> From: Wang, Cliff [mailto:CWang@smartpipes.com]
>> Sent: Thursday, December 06, 2001 9:57 AM
>> To: 'Michael Thomas'; Alex Alten
>> Cc: Wang, Cliff; ipsec@lists.tislabs.com
>> Subject: RE: Please save the pre-shared key mode
>>
>>
>> Very simple reasons,
>>
>> IKEv1 is going to be replaced by IKEv2 in the future and KINK has yet to
>be
>> standardized and it is not going to replace IKE. On the other hand, adding
>> PSK support in IKEv2 is not an overkill, but provides much more
>> flexibilities and more choices for service providers.
>>
>> -----Original Message-----
>> From: Michael Thomas [mailto:mat@cisco.com]
>> Sent: Thursday, December 06, 2001 12:43 PM
>> To: Alex Alten
>> Cc: Wang, Cliff; ipsec@lists.tislabs.com
>> Subject: Re: Please save the pre-shared key mode
>>
>>
>> Alex Alten writes:
>> >
>> > I *strongly* 2nd this motion. It would be extremely foolish > to
>> eliminate PSK support. Foolish in this case translates into > lots of
>> extra expensive hardware, etc., for our poor customers.
>>
>> There are already two choices for keying IPsec SA's
>> with pre-shared keys with IETF protocols:
>>
>> 1) IKEv1
>> 2) KINK
>>
>> The latter can be used peer-peer as well, and
>> fixes many of the problems with (1). Why then
>> do we need to have yet another?
>>
>> Mike
>>
>
> --
>Jan Vilhuber vilhuber@cisco.com
>Cisco Systems, San Jose (408) 527-0847
>
>
--
Alex Alten
Alten@Home.Com
Follow-Ups:
References: