On Fri, February 10, 2012 12:13 pm, Yaron Sheffer wrote: > Hi Paul, > > sorry, I don't understand your statement. Yes, IKEv1 is popular but > (formally) obsolete. It is still our responsibility to ensure that it > doesn't gain new and insecure extensions in its old age. The way we do > it is through the normal IETF/RFC-Ed/IANA bureaucratic processes. > > Unlike Tero, I don't think people will be adding non-IETF extensions of > this sort to IKEv1. New crypto algorithms, maybe. But new authentication > methods? I'd be surprised.
SURPRISE! It's me. And I want to add a new authentication method to IKEv1. New, yes; insecure, no. In fact, it makes things _more_ secure because it obviates the need for insecure extensions that have been added to IKEv1 and widely implemented, like XAUTH, because it removes the requirement that a PSK be bound to an IP address and it is resistant to dictionary attack. (And now that I have mentioned this, will you be surprising yourself by proposing a new authentication method for IKEv1 that is resistant to dictionary attack?) Dan. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
