[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Please save the pre-shared key mode
How about a smart card (have private/public key pair) at remote system
register
its public key at HQ.
--- David
----- Original Message -----
From: "Henry Spencer" <henry@spsystems.net>
To: "Michael Choung Shieh" <mshieh@netscreen.com>
Cc: "Wang, Cliff" <CWang@smartpipes.com>; <ipsec@lists.tislabs.com>
Sent: Friday, December 07, 2001 3:11 PM
Subject: RE: Please save the pre-shared key mode
> On Fri, 7 Dec 2001, Michael Choung Shieh wrote:
> > How about someone unwrap the myth. I don't care if it's PK or PSK as
long
> > as we can set it up as easy as setup PSK in IKE v1.
> > Can someone show step-by-step procedure to set up PK? In a typical
> > scenario, the HQ sys admin sets up vpn and sends config to his
unknowledged
> > remote offic peer to download to remote device. How do we do it when
using
> > PK without using PKI?
>
> The HQ sysadmin generates a public/private key pair for the new
> host/device, and that is sent to his remote peer as part of the config.
> Remote peer installs config (including key pair). Communication is
> established. Just like PSK.
>
> Alternatively, loading the config into the remote system includes
> generating a keypair, and the public key is then sent back to the HQ
> sysadmin for inclusion in his setup. Communication is established.
>
> The second approach is generally preferable, because it avoids ever
> transmitting secret information (the private key) between the sysadmins.
> But it does require a bit more savvy on the part of the remote sysadmin,
> and an extra sysadmin-to-sysadmin communications hop. If the remote
> sysadmin is really not up to much, and/or the software he is using is
> unhelpful, having the HQ sysadmin do the keypair generation may be
> preferable.
>
> Henry Spencer
> henry@spsystems.net
>
>
References: