[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Please save the pre-shared key mode



If I remember correctly, the HW accelerators only speed up the encryption
process and not authentication. The testings we have done showed that, for
the authentication phase, with the same CPU (Cisco 26xx), the ratio of pkts
dropped for PSK to PK is 1 to 8 (PK setup is a hierarchical CA with RA &
external CRL).

Perhaps one needs to think about "What is the best way to handle real time
traffic?"

Alister

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Alex Alten
> Sent: 07 December 2001 06:39
> To: Michael Choung Shieh; 'Jan Vilhuber'
> Cc: 'Wang, Cliff'; 'Michael Thomas'; ipsec@lists.tislabs.com
> Subject: RE: Please save the pre-shared key mode
>
>
>
> It's more than just complexity of configuring keys.  It's also about
> speed of authentication.  Not everyone is using hw cypto chip accelerators
> to do it.  Not everyone has fast CPU's to do it.  In my mind PSK should
> be the 1st choice, with PK the 2nd, optional choice.  And don't respond
> with the usual bull about scalability, that doesn't cut any ice.
>
> - Alex
>
>
> At 05:13 PM 12/6/2001 -0800, Michael Choung Shieh wrote:
> >
> >I agree.  User won't care if it's pre-shared or public-key
> system as long as
> >they can easily configure it and make it work.
> >
> >However, I wonder if we can really make it as easy as PSK.  IKEv1 has all
> >the options of preshare symmetric vs. public-key but most admin just use
> >PSK.  self-signed cert won't work in a typical use case where
> system admin
> >configures vpn then sends config to remote users.  He will need
> to send them
> >in clear or PKCS12.
> >
> >Before we dump PSK, can someone propose a way to deal with
> public key system
> >other than PKI?  I think we should examine the process before
> claiming PSK
> >is dead.
> >
> >the claim of adding complexity or option is not a valid statement.  After
> >all PSK is most popular auth methold and comparably simple.  The claim is
> >beter suited for PKI(any objection?), but I won't complain about
> it since it
> >provide my job security.
> >
> >--------------------------------------------
> >Michael Shieh
> >--------------------------------------------
> >
> >-----Original Message-----
> >From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> >Sent: Thursday, December 06, 2001 3:37 PM
> >To: Michael Choung Shieh
> >Cc: 'Wang, Cliff'; 'Michael Thomas'; Alex Alten; ipsec@lists.tislabs.com
> >Subject: RE: Please save the pre-shared key mode
> >
> >
> >On Thu, 6 Dec 2001, Michael Choung Shieh wrote:
> >
> >>
> >> >From our experience more than 80% of VPN users are using PSK.
> >
> >That's fine. For a user-interface, you can make a public-key system look
> >EXACTLY like a pre-shared symmetric key system (maybe not exactly, but at
> >least as simple).
> >
> >jan
> >
> >
> >> While we are
> >> developing a standard to replace IKE v1, let's not leave the existing
> >users
> >> behind.  Although we may give many reasons that PKI provides
> more security
> >> and scalability, it's (relatively) easy config of PSK bring IKE to wide
> >> adoption.
> >>
> >> --------------------------------------------
> >> Michael Shieh
> >> NetScreen Technologies, Inc
> >> --------------------------------------------
> >>
> >> -----Original Message-----
> >> From: Wang, Cliff [mailto:CWang@smartpipes.com]
> >> Sent: Thursday, December 06, 2001 9:57 AM
> >> To: 'Michael Thomas'; Alex Alten
> >> Cc: Wang, Cliff; ipsec@lists.tislabs.com
> >> Subject: RE: Please save the pre-shared key mode
> >>
> >>
> >> Very simple reasons,
> >>
> >> IKEv1 is going to be replaced by IKEv2 in the future and KINK
> has yet to
> >be
> >> standardized and it is not going to replace IKE. On the other
> hand, adding
> >> PSK support in IKEv2 is not an overkill, but provides much more
> >> flexibilities and more choices for service providers.
> >>
> >> -----Original Message-----
> >> From: Michael Thomas [mailto:mat@cisco.com]
> >> Sent: Thursday, December 06, 2001 12:43 PM
> >> To: Alex Alten
> >> Cc: Wang, Cliff; ipsec@lists.tislabs.com
> >> Subject: Re: Please save the pre-shared key mode
> >>
> >>
> >> Alex Alten writes:
> >>  >
> >>  > I *strongly* 2nd this motion.  It would be extremely foolish  > to
> >> eliminate PSK support.  Foolish in this case translates into  > lots of
> >> extra expensive hardware, etc., for our poor customers.
> >>
> >>    There are already two choices for keying IPsec SA's
> >>    with pre-shared keys with IETF protocols:
> >>
> >>    1) IKEv1
> >>    2) KINK
> >>
> >>    The latter can be used peer-peer as well, and
> >>    fixes many of the problems with (1). Why then
> >>    do we need to have yet another?
> >>
> >> 	 Mike
> >>
> >
> > --
> >Jan Vilhuber
> vilhuber@cisco.com
> >Cisco Systems, San Jose
> (408) 527-0847
> >
> >
> --
>
> Alex Alten
> Alten@Home.Com
>
>



References: