Hi Kaz,
Most of the WG members are aware of the whole picture:
- The standard is clear that PSK must not be used with passwords.
- The standard contains a good solution for the client-gateway case,
which is already widely implemented, namely EAP. EAP is implemented by
many AAA servers, is available on endpoints and simple to integrate into
gateways, and is therefore the best way to set up a remote access
solution if you have more than, say, 5 users.
- Having two ways to do the same thing (e.g. IKE+EAP with a mutual auth
method, and IKEv2 with the new proposed mode) is bad for
interoperability and ultimately, for the success of the standard.
Thanks,
Yaron
On 28.3.2010 9:40, Kaz Kobara wrote:
So is there a reason you don't want to fix this "between clients
and gateways"?
(As most of this WG members have already noticed)
PSK in IKE is foolish in the sense that it is vulnerable against off-line
dictionary attack while using heavy DH calculation.
There is no reason not to fix this foolish PSK (regardless of "between
gateways" and "between clients and gateways".)
Kaz
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
