(Co-author hat on)
PACE (draft-kuegler-ipsecme-pace-ikev2-05) negotiates its own use during
IKE_SA_INIT by exchanging a notification that signifies that both peers
support the extension. I would recommend that the other two protocols be
extended with a similar exchange of notifications. Then the responder
can decide which (if any) of them it supports and respond accordingly,
and the initiator can start the next exchange already knowing how it can
proceed.
However let's not forget that falling back to PSK authentication using a
short password would be vulnerable to a MITM+dictionary attacker.
(WG co-chair hat on)
I share your disappointment with this outcome.
Thanks,
Yaron
On 03/27/2011 01:40 PM, Yoav Nir wrote:
Hi all
Yesterday, the IESG has started last call on three documents:
- draft-harkins-ipsecme-spsk-auth-03
- draft-shin-augmented-pake-03
- draft-kuegler-ipsecme-pace-ikev2-05
All three seek to improve the authentication in IKEv2 when using pre-shared
keys, as compared with RFC 5996. The IPsecME working group was unable to choose
between them, but I don't think this attempt to throw this decision at the IESG
is going to help much.
Specifically, I don't think that publishing all three is a positive outcome for
this.
<poor developer hat on>
Moreover, I don't think there's a way for the poor developer to support all
four methods, and interoperate with implementations that support just one,
without wasting some round-trips on testing whether the peer supports one
implementation or the other.
If they at least all had something like a notification that says that the
initiator supports *this* method in the Initial exchange, and the responder
could reply with just one, it would be somewhat better, but still it's a bad
outcome for the IETF process.
</poor developer hat on>
Yoav
_______________________________________________
IPsec mailing list
IPsec(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf