My initial inclination is to say that won't fly: that many deployments still require preshared key authentication. Rather, they would object to certificates because of perceived complexity. That said, I could see arguments that what we're discussing are already fairly sophisticated topologies, so perhaps the certificate allergy doesn't hold?
-Geoff On Mar 24, 2012, at 3:05 AM, "Tero Kivinen" <[email protected]> wrote: > Praveen Sathyanarayan writes: >> Yes. If certificate based authentication was used in the network, there is >> no need of new credentials. But if pre-shared key based was used, then we >> need this "temporary credentials". Also, it is required to define the >> lifetime of this "temporary credentials". For example, if tunnel between >> spokes are stays beyond lifetime of SA, then can the same "temporary >> credentials" can be used for rekey? Or new "temporary credentials" should >> be received from Hub? > > That starts to sound like certificates... One of the ways to do this > is to always use certificates in the on-demand direct vpn connections. > I.e if the peer A normally authenticates itself with PSK to the hub, > it would then create private key, give it to the hub, which would sign > it with hub-only configuration trust anchor, and then other peers > could use that key. > > Or another way would be to use raw public keys, but then we do not > have the things like validity periods etc. > > As X.509 certificate authentication support is already MANDATORY to > support in all implementations, that could be the easiest way forward. > -- > [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
