Hi Yaron, I see. Your "client-gateway" means "client-gateway-AAA".
OK, now we can go back to the title. Why don't you make it more specific, like "Password-Based Authentication between Gateways in IKEv2: Selection Criteria and Comparison" or something like that? This is really what you want to do, I bet. Regards, Kaz > -----Original Message----- > From: Yaron Sheffer [mailto:yaronf.i...@gmail.com] > Sent: Sunday, March 28, 2010 5:41 PM > To: Kaz Kobara > Cc: ipsec@ietf.org > Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway) > > Hi Kaz, > > Most of the WG members are aware of the whole picture: > > - The standard is clear that PSK must not be used with passwords. > - The standard contains a good solution for the client-gateway case, > which is already widely implemented, namely EAP. EAP is implemented by > many AAA servers, is available on endpoints and simple to integrate into > gateways, and is therefore the best way to set up a remote access > solution if you have more than, say, 5 users. > - Having two ways to do the same thing (e.g. IKE+EAP with a mutual auth > method, and IKEv2 with the new proposed mode) is bad for > interoperability and ultimately, for the success of the standard. > > Thanks, > Yaron > > On 28.3.2010 9:40, Kaz Kobara wrote: > >> So is there a reason you don't want to fix this "between clients > >> and gateways"? > > > > (As most of this WG members have already noticed) > > PSK in IKE is foolish in the sense that it is vulnerable against off-line > > dictionary attack while using heavy DH calculation. > > > > There is no reason not to fix this foolish PSK (regardless of "between > > gateways" and "between clients and gateways".) > > > > Kaz > > > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
