Nico Williams <[email protected]> wrote: > On Mon, Dec 10, 2018 at 09:20:54PM -0500, Michael Richardson wrote: > > Paul Wouters <[email protected]> wrote: > > > > yes, typo, "not for road-warrior" > > > > > > I understood. I disagree with the “not”. Road warriors using group psk is > > > a > > > thing, sadly. > > > > But they aren't cross-domain, they can do EAP-foobar, and they could use a > > certificate without a lot of hassle about what set of trust anchors. > > > > If we stick to the site-to-site then I think we can do something rather > > simple and quick, and our security considerations section will be much > > simpler. > > I mean, if road warriors should always be using either EAP or user > certs, then we don't need PAKE for anything because presumably the > shared keys used in PSKs are strong enough that PAKEs don't improve > security and only slow things down...
It's the enterprise-to-enterprise connection that is hard to convert to certificates for the reasons that Paul explained. > (I'm assuming you mean to use an EAP method like EAP-PWD (RFCs 5931 and > 8146), yes?) > > Assuming you can always use EAP, the only real reasons to use a PAKE in > IKEv2 are: > > - you're not entirely sure that you don't have weak PSKs and would like > to strengthen them I think that this is the major reason. > > - you don't always want EAP for users who don't have certs for reasons > that escape me > > (I wouldn't object, but if EAP fits the bill as to PAKE already, then > thw WG could object to spending its resources on adding PAKE to > IKEv2.) I think that a user-oriented PAKE is more useful if it can be backended into a AAA infrastructure, which EAP can. A site-to-site PAKE is more useful if it isolated from any AAA infrastructure. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] [email protected] http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
