ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [IPsec] PSK with IKEv2

2011-03-27 07:50:09
from [Yaron Sheffer] [Permanent Link] 
(Co-author hat on)
PACE (draft-kuegler-ipsecme-pace-ikev2-05) negotiates its own use during IKE_SA_INIT by exchanging a notification that signifies that both peers support the extension. I would recommend that the other two protocols be extended with a similar exchange of notifications. Then the responder can decide which (if any) of them it supports and respond accordingly, and the initiator can start the next exchange already knowing how it can proceed.
However let's not forget that falling back to PSK authentication using a short password would be vulnerable to a MITM+dictionary attacker. 

(WG co-chair hat on)

I share your disappointment with this outcome.

Thanks,
        Yaron

On 03/27/2011 01:40 PM, Yoav Nir wrote:

Hi all

Yesterday, the IESG has started last call on three documents:
- draft-harkins-ipsecme-spsk-auth-03
- draft-shin-augmented-pake-03
- draft-kuegler-ipsecme-pace-ikev2-05

All three seek to improve the authentication in IKEv2 when using pre-shared 
keys, as compared with RFC 5996. The IPsecME working group was unable to choose 
between them, but I don't think this attempt to throw this decision at the IESG 
is going to help much.

Specifically, I don't think that publishing all three is a positive outcome for 
this.

<poor developer hat on>
Moreover, I don't think there's a way for the poor developer to support all 
four methods, and interoperate with implementations that support just one, 
without wasting some round-trips on testing whether the peer supports one 
implementation or the other.

If they at least all had something like a notification that says that the 
initiator supports *this* method in the Initial exchange, and the responder 
could reply with just one, it would be somewhat better, but still it's a bad 
outcome for the IETF process.
</poor developer hat on>

Yoav

_______________________________________________
IPsec mailing list
IPsec(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • PSK with IKEv2, Yoav Nir
    • Re: [IPsec] PSK with IKEv2, Yaron Sheffer <=
Previous by Date:  Re: Call for a Jasmine Revolution in the IETF: Privacy, Integrity, Obscurity, Hannes Tschofenig
Next by Date:  Re: revising an Internet Standard, Russ Housley
Previous by Thread:  PSK with IKEv2, Yoav Nir
Next by Thread:  revising an Internet Standard, Peter Saint-Andre
Indexes:  [Date] [Thread] [Top] [All Lists]