Hi Dan,
No surprise at all - I used the term "non-IETF extension". As long as
your extension goes through proper IETF process/review, I'm fine with
it. I might even support it, since I agree that it adds security to
IKEv1/PSK. Other people might argue that we shouldn't confuse the
industry by adding major new pieces to IKEv1.
Thanks,
Yaron
On 02/11/2012 12:45 AM, Dan Harkins wrote:
On Fri, February 10, 2012 12:13 pm, Yaron Sheffer wrote:
Hi Paul,
sorry, I don't understand your statement. Yes, IKEv1 is popular but
(formally) obsolete. It is still our responsibility to ensure that it
doesn't gain new and insecure extensions in its old age. The way we do
it is through the normal IETF/RFC-Ed/IANA bureaucratic processes.
Unlike Tero, I don't think people will be adding non-IETF extensions of
this sort to IKEv1. New crypto algorithms, maybe. But new authentication
methods? I'd be surprised.
SURPRISE! It's me. And I want to add a new authentication method
to IKEv1. New, yes; insecure, no. In fact, it makes things _more_ secure
because it obviates the need for insecure extensions that have been added
to IKEv1 and widely implemented, like XAUTH, because it removes the
requirement that a PSK be bound to an IP address and it is resistant to
dictionary attack.
(And now that I have mentioned this, will you be surprising yourself
by proposing a new authentication method for IKEv1 that is resistant to
dictionary attack?)
Dan.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
