On Tue, 11 Dec 2018, Valery Smyslov wrote:
What I heard from the IPsecME record was that many in the room
felt that this was where ther was a weakness.
I see this as a social issue, not a technical one. We can't prevent
administrators from being careless, either with PSKs or with passwords.
We can make more secure deployments easier.
If the only change on the site-to-site config is to change the keyword
"psk" to "pake" and that prevents offline dictionary attacks, that's an
easy win.
I care a little less for group psk's because well, it is a group so even
a pake won't buy us that much extra if dozens or thousands of people
have the pake secret.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
