[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Please save the pre-shared key mode

To: "'Jan Vilhuber'" <vilhuber@cisco.com>
Subject: RE: Please save the pre-shared key mode
From: "Wang, Cliff" <CWang@smartpipes.com>
Date: Fri, 7 Dec 2001 21:04:36 -0000
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

The bottom line is although smart UI can help user to simplify his task, it
doesn't completely solve the complexity issue we are talking about.
Otherwise there is no need for us to discuss this here anymore.   

-----Original Message-----
From: Jan Vilhuber [mailto:vilhuber@cisco.com] 
Sent: Friday, December 07, 2001 3:44 PM
To: Wang, Cliff
Cc: ipsec@lists.tislabs.com
Subject: RE: Please save the pre-shared key mode


On Fri, 7 Dec 2001, Wang, Cliff wrote:

> 
> This thread is talking about saving the pre-shared key mode, instead 
> of saying nothing else works.
> 
> I am not sure how you can hide a whole PKI system away under smart UI?

I'm not about to design your products for you, but several alternatives have
been proposed, ranging from using self-signed pre-shared certs and using
key-finger-prints in lieu of a pre-shared key. The rest is up to you.

> I am also not sure how smart UI can solve the issue that on Cisco low 
> end box PKI based IPsec performs much slower in comparison to PSK 
> based IPsec.
> 
The last point seems completely off topic. I can't run linux on my
wristwatch either. What's the point? New things may only work on newer
boxes.

jan




> 
> -----Original Message-----
> From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> Sent: Friday, December 07, 2001 2:58 PM
> To: Wang, Cliff
> Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
> Subject: RE: Please save the pre-shared key mode
> 
> 
> On Fri, 7 Dec 2001, Wang, Cliff wrote:
> 
> > >From the operation point of view, PSK is quick and easy to set up
> > >service.
> > It works and customers are happy. It is more real than a myth.
> > 
> The myth is that nothing else works. PSK is a behind-the-scenes 
> abstraction, that good programmers can hide from users altogether. A 
> good UI can hide any other mechanism as well and make it as easy to 
> configure.
> 
> jan
> 
> 
> > 
> > 
> > -----Original Message-----
> > From: Jan Vilhuber [mailto:vilhuber@cisco.com]
> > Sent: Thursday, December 06, 2001 6:39 PM
> > To: Wang, Cliff
> > Cc: 'Dan McDonald'; ipsec@lists.tislabs.com
> > Subject: RE: Please save the pre-shared key mode
> > 
> > > On the
> > > other hand, PSK based IKE and PKI based IKE has been the main way
people
> > > deploying VPN. Under that context, PSK is simpler to run than PKI.   
> > > 
> > I think that's the myth Dan was talking about.
> > 
> > jan
> > 
> > 
> > 
> > > 
> > > -----Original Message-----
> > > From: Dan McDonald [mailto:danmcd@east.sun.com]
> > > Sent: Thursday, December 06, 2001 1:28 PM
> > > To: Wang, Cliff
> > > Cc: ipsec@lists.tislabs.com
> > > Subject: Re: Please save the pre-shared key mode
> > > 
> > > 
> > > > 1) Simplicity
> > > > Pre-shared key mode is simpler to support by eliminating the
> > > > requirement of supporting complex PKI.
> > > 
> > > It's a myth that public-key implies you MUST have a PKI.
> > > 
> > > Self-signed certs combined with explicit out-of-band trust models 
> > > is just a non-cumbersome as pre-shared keys, IMHO, and they also 
> > > offer IP-address-portability.  (Henry Spencer, correct me if I'm 
> > > wrong, but FreeSWAN has a self-signed cert model that works, 
> > > right?)
> > > 
> > > If we keep pre-shared, let's have a scalable way of identifying
> > > them.
> > > In a multi-homed world (esp. IPv6), pre-shared keys indexed by address

> > > pairs is as much hassle as PKI registration (it's just less snake-oil 
> > > than most PKIs ;).
> > > 
> > > For testing, I run server machines with self-signed certs.  For
> > > small
> > > (10-100) numbers of clients, it works out _quite_ nicely, and w/o any 
> > > of the PKI cruft.  Peer-to-peer explosions is about the only case 
> > > where PKI is really needed, and pre-shared won't help you any there 
> > > either.  It's just a matter of running certificate-generation, e-mail,

> > > and verifying hashes out-of-band.
> > > 
> > > I'm not totally against nuking pre-shared.  It's not, however, the 
> > > panacea of simplicity many think it is, and simplicity arguments 
> > > don't hold water.
> > > 
> > > Dan
> > > 
> > 
> >  --
> > Jan Vilhuber
vilhuber@cisco.com
> > Cisco Systems, San Jose                                     (408)
527-0847
> > 
> 
>  --
> Jan Vilhuber                                            vilhuber@cisco.com
> Cisco Systems, San Jose                                     (408) 527-0847
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

Follow-Ups:

RE: Please save the pre-shared key mode

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: RE: Please save the pre-shared key mode
Next by Date: Re: Son-of-IKE Performance
Prev by thread: RE: Please save the pre-shared key mode
Next by thread: RE: Please save the pre-shared key mode
Index(es):
- Main
- Thread