[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Please save the pre-shared key mode
On Fri, 7 Dec 2001, Michael Thomas wrote:
> The fundamental mistake you're making here is
> giving special status to the name of *a*
> non-working group draft which calls itself IKEv2.
> It's not decided whether the working group will
> take IKEv2 as the basis of SOI, nor is it clear
> that the WG will call it "IKEv2" even if it did.
>
> Again, what is important at this point is setting
> the requirements to evaluate all of the candidate
> protocols. The requirements currently do not say
> that SOI will be everything that IKEv1 is and
> more. If you want the requirements to
> specifically say this, I think you need to get WG
> consensus for that, which I doubt there currently
> is.
>
> Mike
>From the recent posts is pretty clear that we will not get WG consensus on
this issue. However, I don't agree that this means that PSK is out. One
can look at it in two ways: we need to reach consensus for removing a
feature from IKE/SOI, or we need to reach consensus for making PSK a
requirement of SOI. I think one thing that we need to keep in mind is that
SOI will be replacing IKEv1... and while it sounds great to start with a
clean slate with SOI, we have to take into account how IKEv1 has been
deployed. This includes large deployments where the end-users have used
PSK. If SOI does not address the needs of the user community, it won't be
adopted. And I'd much prefer to support a single SOI protocol which meets
these needs then multiple protocols (IKEv1, SOI, KINK), each adding
complexity to the overall VPN solution we present.
=====================================================================
= Tylor Allison Secure Computing Corporation =========
= phone: 651.628.1554 e-mail: allison@securecomputing.com =========
=====================================================================
References: