On Thu, 13 Apr 2017, Scott Fluhrer (sfluhrer) wrote:
I wasn't nearly as clear as I ought to have been; I made some assumptions
without stating them.
There are, of course, multiple possible PPK sources; one is a preconfigured
fixed value in the device; another might be values from a CD-ROM (as others
discussed elsethread); still another might be a quantum key distribution device.
My discussion was solely about the preconfigured fixed value, and I was just
talking about the mapping between 'fixed value' and 'the PPK value you hand to
the PRF'; this fixed value will likely be configured as a string (similar to a
standard preshared key), my question was the mapping of this string to a PPK
value.
Right, and likely use the exact same code path as for PSK, so I think
the vendors will have will interop similarly with PSK as with PPK for
this use case. I really wouldn't want to have our PPK secrets to be
differently configured or interpreted from out PSK secrets with respect
to whether it ignores a space or not.
Now, obviously, there will be other methods of generating PPKs; for those
alternative methods, they will likely generate large (256 bit or so) uniform
random value; there may be no particular reason to impose any nontrivial
mapping there. Obviously, talking about ASCII in that context may make no
sense whatsoever. I don't intend to talk about these alternative methods
directly in the draft (except to provide a hook to add them later).
Right, but I think it is better to not give different formats/charsets
for PPKs. Maybe note/warn the implementer for dangerous characters, but
don't define a new set of valid chars for this one type of PPK.
Paul
ps. as for your "they will likely generate" argument, I fear that is
mostly wishful thinking. As was pointed out recently, this is the
stuff you find in "production quality VPN services":
https://support.onevpn.com/knowledgebase/configure-l2tp-protocol-windows-10/
which says:
0- Select the radio box for “Use preshared key for authentication” and
enter “123456789”
And those kind of things lead to these kind of statistics:
https://twitter.com/letoams/status/549654933608595457
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
