[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please save the pre-shared key mode

To: Jan Vilhuber <vilhuber@cisco.com>
Subject: Re: Please save the pre-shared key mode
From: Dan Harkins <dharkins@tibernian.com>
Date: Fri, 07 Dec 2001 15:55:54 -0800
Cc: ipsec@lists.tislabs.com
In-Reply-To: Your message of "Fri, 07 Dec 2001 14:07:13 PST." <Pine.LNX.4.21.0112071405490.24375-100000@janpc-home.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

  IPSRA is doing a little bit more than legacy authentication support
but you do have a point. Doing as Ricky suggests will also obviate that
insecure hack that Marcus described today.

  What we're telling people who want to do legacy authentication in a
standard way is that they have to do a 4-8 message exchange (depending
on whether you want DOS protection and your legacy authentication 
token is not out of sync or in something like "Next Code Mode") and
establish an authenticated Diffie-Hellman secret which you promptly throw
away to do another 9-10 message exchange (IKEv1, phase 1 and phase 2 with
the optional commit bit set) or 3-4 message exchange (assuming whatever
the WG standardizes on for SOI looks something like what is being proposed
today) and establish another authenticated Diffie-Hellman secret and IPsec
SAs. 

  Protocol  Initiator     Responder     Latency
  ------------------------------------------------
  PIC+IKE   1 signature   2 signatures  6.5-9 RTT + 1-2 RTs to legacy server
            2 verifies    1 verify
            2 DH agree    2 DH agree

Worst case 22 messages, best case 14 messages, just to do legacy 
authentication!? No wonder people are devising hacks around that. 

  For all the concern expressed over the number of roundtrips a protocol
has I'm surprised that no one has harped on that before.

  Dan.

On Fri, 07 Dec 2001 14:07:13 PST you wrote
> On Thu, 6 Dec 2001, Ricky Charlet wrote:
> 
> > Howdy,
> > 
> > 	I'm moving my position from 'in favor' to 'neutral' on saving a
> > pre-shared key authentication mode. Its not PSK itself or even current
> > look alike PSK functionality I'd like to see saved. There is a new
> > feature I want to see added and that is interaction with legacy
> > authentication systems in support of remote access users ala
> > draft-ietf-ipsra-reqmts-04.txt.
> 
> But then we should close down IPSRA, shouldn't we? Either we have IPSRA to
> take care of remote-access legacy methods, or we cancel that WG and fold the
> requirements back into the IPsec WG...
> 
> jan
>  --
> Jan Vilhuber                                            vilhuber@cisco.com
> Cisco Systems, San Jose                                     (408) 527-0847
>

References:

Re: Please save the pre-shared key mode

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: RE: Please save the pre-shared key mode
Next by Date: Re: compare-jfk-sigma.txt
Prev by thread: Re: Please save the pre-shared key mode
Next by thread: Re: Please save the pre-shared key mode
Index(es):
- Main
- Thread