Hi Raj,
No, RFC 5685 tried for generality without defining the usage scenario in
advance, and this attempt failed. The solution cannot be used
gateway-gateway, because it depends on the (arbitrary)
initiator/responder distinction.
Thanks,
Yaron
On 30.3.2010 15:43, Raj Singh wrote:
Hi Yaron,
You are saying the same things what i am saying, then i am not able to
understand how its counter example?
The point i want to make here,
"We can emphasize the main use case scenario the draft, but protocol should
have a space for generality".
According to me RFC - 5685 is good example o
Hi Raj,
this in fact is the perfect counter-example: RFC 5685 started out with
the client-gateway scenario, and when we woke up to see how it can be
generalized to the symmetric gateway-gateway case, it was too late.
Hence Sec. 10, which says that the resulting protocol is a very partial
solu
Hi Team,
The similar scenarios are beautifully handled by Redirect RFC-5685.
The Redirect RFC emphasize on client-gateway terminology, which is typical
use of Redirect mechanism in IKEv2 where Gateway redirects client to another
less loaded gateway but at the same time RFC is also applicable to
ro
Yaron Sheffer writes:
> I'm not suggesting to constrain the protocol. I'm trying to focus the
> discussion, and focus the criteria. We both know that integrating an
> existing PAKE into IKEv2 is not such a big deal. But we can spend months
> debating password management:
>
> - Do we specify a p
The disagreement between Dan and Yaron is over wording in the not-at-all
normative criteria draft. This draft is not intended to become an RFC, and is
not binding on the WG. It currently is being edited by Yaron; soon it will be
edited by both Yaron and Dan.
>From the active thread the past f
]
Sent: Sunday, March 28, 2010 5:41 PM
To: Kaz Kobara
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
Hi Kaz,
Most of the WG members are aware of the whole picture:
- The standard is clear that PSK must not be used with passwords.
- The standard contains a g
that?
This is really what you want to do, I bet.
Regards,
Kaz
> -Original Message-
> From: Yaron Sheffer [mailto:yaronf.i...@gmail.com]
> Sent: Sunday, March 28, 2010 5:41 PM
> To: Kaz Kobara
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] New PAKE Criteria draft posted (def.
the title
"Password-Based Authentication in IKEv2: Selection Criteria and
Comparison"
seems misleading (since this itself misinforms that this criteria may
be
applied to IKEv2 in any cases), and the above should be clearly
mentioned
in
the document.
Kaz
-Original Message-
From: Yar
Hi Kaz,
Most of the WG members are aware of the whole picture:
- The standard is clear that PSK must not be used with passwords.
- The standard contains a good solution for the client-gateway case,
which is already widely implemented, namely EAP. EAP is implemented by
many AAA servers, is avai
> So is there a reason you don't want to fix this "between clients
> and gateways"?
(As most of this WG members have already noticed)
PSK in IKE is foolish in the sense that it is vulnerable against off-line
dictionary attack while using heavy DH calculation.
There is no reason not to fix this
gt;>>> Hi Yaron
>>>>>
>>>>> Thank you for your clarification.
>>>>>
>>>>>> "between gateways" as opposed to
>>>>>> "between clients and gateways". So your assertion is correct.
>>>&
eems misleading (since this itself misinforms that this criteria may
be
applied to IKEv2 in any cases), and the above should be clearly
mentioned
in
the document.
Kaz
-Original Message-
From: Yaron Sheffer [mailto:yaronf.i...@gmail.com]
Sent: Friday, March 26, 2010 2:14 PM
To: Kaz Kobara
C
Actually I do want to fix it. All you have to do is use IKEv2 with one
of the shining new EAP methods. Such as
http://tools.ietf.org/html/draft-harkins-emu-eap-pwd-13.
Thanks,
Yaron
On 27.3.2010 23:46, Dan Harkins wrote:
Kaz,
On Sat, March 27, 2010 11:00 am, Kaz Kobara wrote:
be
Kaz,
On Sat, March 27, 2010 11:00 am, Kaz Kobara wrote:
>> between gateways, people abuse
>> PSK authentication by using it with short passwords.
>
> I agree, but what I wanted to say was
> this is also true (and even worse) "between clients and gateways".
So is there a reason you don't want
pe the passwords.)
>>>
>>> Anyway, if the scope is limited only on "between gateways" but not
>>> "between
>>> clients and gateways," the title
>>> "Password-Based Authentication in IKEv2: Selection Criteria and
>>> Comparison&
.com]
> Sent: Saturday, March 27, 2010 11:06 PM
> To: Kaz Kobara
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
>
> Hi Kaz,
>
> the deployment experience has been that between gateways, people abuse
> PSK authentication
ginal Message-
From: Yaron Sheffer [mailto:yaronf.i...@gmail.com]
Sent: Friday, March 26, 2010 2:14 PM
To: Kaz Kobara
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
Hi Kaz,
I *thought* my intention was clear: "between gateways" as opposed to
&qu
riteria may be
applied to IKEv2 in any cases), and the above should be clearly mentioned in
the document.
Kaz
-Original Message-
From: Yaron Sheffer [mailto:yaronf.i...@gmail.com]
Sent: Friday, March 26, 2010 2:14 PM
To: Kaz Kobara
Cc: ipsec@ietf.org
Subject: Re: [IPsec] New PAKE C
n Criteria and
> Comparison"
> seems misleading (since this itself misinforms that this criteria may be
> applied to IKEv2 in any cases), and the above should be clearly mentioned
> in
> the document.
>
> Kaz
>
>> -----Original Message-
>> From: Yaron Sh
14 PM
> To: Kaz Kobara
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
>
> Hi Kaz,
>
> I *thought* my intention was clear: "between gateways" as opposed to
> "between clients and gateways". So your assertion
Great, clear benefits to having a separate AAA server. So that's
the reason to neuter technology?
What you're talking about is a deployment issue and that really isn't
any of our business.
Dan.
On Thu, March 25, 2010 10:06 pm, Yaron Sheffer wrote:
> As I mentioned in my previous mail, the
Hi Kaz,
I *thought* my intention was clear: "between gateways" as opposed to
"between clients and gateways". So your assertion is correct.
Thanks,
Yaron
On 26.3.2010 1:40, Kaz Kobara wrote:
Hi Yaron
draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
"This document is limited
As I mentioned in my previous mail, the document attempts to follow the
use cases as agreed in the charter.
For the remote access case, there are clear benefits to having a
separate AAA server, and EAP has been adopted by multiple protocols
including IKEv2. I don't see a reason to open this de
On the contrary, I would like to see no notion of "clients", "hosts",
and "gateways" at all. There is no reason why this technique could
not be used in any of the use cases in IKEv2.
And such a statement certainly does not belong in a document that
supposedly deals with criteria upon which a
Hi Yaron
> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
> "This document is limited to the use of password-based authentication to
> achieve trust between gateways"
I would like to make sure that
"gateway" in this document does not encompass VPN clients and hosts, right?
Kaz
>
26 matches
Mail list logo
