[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Please save the pre-shared key mode

To: "'Wang, Cliff'" <CWang@smartpipes.com>, "'Jan Vilhuber'" <vilhuber@cisco.com>
Subject: RE: Please save the pre-shared key mode
From: "Wen-Chi \(Alex\) Wang" <alexw1970@yahoo.com>
Date: Thu, 6 Dec 2001 23:37:14 -0800
Cc: "'Dan McDonald'" <danmcd@east.sun.com>, <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <4652644B98DFF34696801F8F3070D3FE011884BB@D2CSPEXM001.smartpipes.com>
Sender: owner-ipsec@lists.tislabs.com

Here is some voice from the field.
We usually use PSK based IKE to do test for VPN connectivity before we
go further for any PKI based IKE roll out just because for field
engineers sometimes it is better to use simple and easy setup process
and procedure to implement a quick test before we start to tune up the
connection.
So I hope the high-level spec could at least keep PSK based IKE as an
option for the sake of easy testing. Please don't drop it.
Alex


-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Wang, Cliff
Sent: Thursday, December 06, 2001 8:31 PM
To: 'Jan Vilhuber'
Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
Subject: RE: Please save the pre-shared key mode

>From the operation point of view, PSK is quick and easy to set up
service.
It works and customers are happy. It is more real than a myth.



-----Original Message-----
From: Jan Vilhuber [mailto:vilhuber@cisco.com] 
Sent: Thursday, December 06, 2001 6:39 PM
To: Wang, Cliff
Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
Subject: RE: Please save the pre-shared key mode

> On the
> other hand, PSK based IKE and PKI based IKE has been the main way
people
> deploying VPN. Under that context, PSK is simpler to run than PKI.   
> 
I think that's the myth Dan was talking about.

jan



> 
> -----Original Message-----
> From: Dan McDonald [mailto:danmcd@east.sun.com]
> Sent: Thursday, December 06, 2001 1:28 PM
> To: Wang, Cliff
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Please save the pre-shared key mode
> 
> 
> > 1) Simplicity
> > Pre-shared key mode is simpler to support by eliminating the
> > requirement of supporting complex PKI.
> 
> It's a myth that public-key implies you MUST have a PKI.
> 
> Self-signed certs combined with explicit out-of-band trust models is 
> just a non-cumbersome as pre-shared keys, IMHO, and they also offer 
> IP-address-portability.  (Henry Spencer, correct me if I'm wrong, but 
> FreeSWAN has a self-signed cert model that works, right?)
> 
> If we keep pre-shared, let's have a scalable way of identifying them.

> In a multi-homed world (esp. IPv6), pre-shared keys indexed by address

> pairs is as much hassle as PKI registration (it's just less snake-oil 
> than most PKIs ;).
> 
> For testing, I run server machines with self-signed certs.  For small
> (10-100) numbers of clients, it works out _quite_ nicely, and w/o any 
> of the PKI cruft.  Peer-to-peer explosions is about the only case 
> where PKI is really needed, and pre-shared won't help you any there 
> either.  It's just a matter of running certificate-generation, e-mail,

> and verifying hashes out-of-band.
> 
> I'm not totally against nuking pre-shared.  It's not, however, the 
> panacea of simplicity many think it is, and simplicity arguments don't

> hold water.
> 
> Dan
> 

 --
Jan Vilhuber
vilhuber@cisco.com
Cisco Systems, San Jose                                     (408)
527-0847

References:

RE: Please save the pre-shared key mode

From: "Wang, Cliff" <CWang@smartpipes.com>

Prev by Date: Re: Son-of-IKE Performance
Next by Date: Re: Comments on IKEv2
Prev by thread: RE: Please save the pre-shared key mode
Next by thread: RE: Please save the pre-shared key mode
Index(es):
- Main
- Thread