[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Please save the pre-shared key mode

To: "Wang, Cliff" <CWang@smartpipes.com>
Subject: RE: Please save the pre-shared key mode
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Fri, 7 Dec 2001 11:57:40 -0800 (PST)
cc: "'Dan McDonald'" <danmcd@east.sun.com>, ipsec@lists.tislabs.com
In-Reply-To: <4652644B98DFF34696801F8F3070D3FE011884BB@D2CSPEXM001.smartpipes.com>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 7 Dec 2001, Wang, Cliff wrote:

> >From the operation point of view, PSK is quick and easy to set up service.
> It works and customers are happy. It is more real than a myth.
> 
The myth is that nothing else works. PSK is a behind-the-scenes abstraction,
that good programmers can hide from users altogether. A good UI can hide any
other mechanism as well and make it as easy to configure.

jan


> 
> 
> -----Original Message-----
> From: Jan Vilhuber [mailto:vilhuber@cisco.com] 
> Sent: Thursday, December 06, 2001 6:39 PM
> To: Wang, Cliff
> Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
> Subject: RE: Please save the pre-shared key mode
> 
> > On the
> > other hand, PSK based IKE and PKI based IKE has been the main way people
> > deploying VPN. Under that context, PSK is simpler to run than PKI.   
> > 
> I think that's the myth Dan was talking about.
> 
> jan
> 
> 
> 
> > 
> > -----Original Message-----
> > From: Dan McDonald [mailto:danmcd@east.sun.com]
> > Sent: Thursday, December 06, 2001 1:28 PM
> > To: Wang, Cliff
> > Cc: ipsec@lists.tislabs.com
> > Subject: Re: Please save the pre-shared key mode
> > 
> > 
> > > 1) Simplicity
> > > Pre-shared key mode is simpler to support by eliminating the
> > > requirement of supporting complex PKI.
> > 
> > It's a myth that public-key implies you MUST have a PKI.
> > 
> > Self-signed certs combined with explicit out-of-band trust models is 
> > just a non-cumbersome as pre-shared keys, IMHO, and they also offer 
> > IP-address-portability.  (Henry Spencer, correct me if I'm wrong, but 
> > FreeSWAN has a self-signed cert model that works, right?)
> > 
> > If we keep pre-shared, let's have a scalable way of identifying them.  
> > In a multi-homed world (esp. IPv6), pre-shared keys indexed by address 
> > pairs is as much hassle as PKI registration (it's just less snake-oil 
> > than most PKIs ;).
> > 
> > For testing, I run server machines with self-signed certs.  For small
> > (10-100) numbers of clients, it works out _quite_ nicely, and w/o any 
> > of the PKI cruft.  Peer-to-peer explosions is about the only case 
> > where PKI is really needed, and pre-shared won't help you any there 
> > either.  It's just a matter of running certificate-generation, e-mail, 
> > and verifying hashes out-of-band.
> > 
> > I'm not totally against nuking pre-shared.  It's not, however, the 
> > panacea of simplicity many think it is, and simplicity arguments don't 
> > hold water.
> > 
> > Dan
> > 
> 
>  --
> Jan Vilhuber                                            vilhuber@cisco.com
> Cisco Systems, San Jose                                     (408) 527-0847
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

References:

RE: Please save the pre-shared key mode

From: "Wang, Cliff" <CWang@smartpipes.com>

Prev by Date: Re: Please save the pre-shared key mode
Next by Date: Re: Please save the pre-shared key mode
Prev by thread: RE: Please save the pre-shared key mode
Next by thread: RE: Please save the pre-shared key mode
Index(es):
- Main
- Thread