Re: [IPsec] Call for independent experts (IKEv2) for Stage 4 of the PAKE selection process

Fri, 30 Aug 2019 10:52:01 -0700 

On Fri, 30 Aug 2019, Dan Harkins wrote:


  Doing EAPTLS seems pointless. If your "additional client configuration"
involved a new trust anchor and an EST exchange and an X.509 certificate
then why not just use IKE?


Because "just use IKE" with Machine Certificates on Windows requires
Administrator priviledge, while using the exact same certificates for
EAPTLS only requires the user priviledges.

Is that worth 8 roundtrips? Our opinion does not matter, but Microsoft
thinks it does :(


  EAP is an abomination.


I'll drink to that!



 Administrators doing site-to-site VPNs are better of using a true random
 strong PSK instead of a weaker PAKE.


  Well how many administrators generate a nice string of 256-bits of "true
random strong PSK"? Seriously, if administrators followed such advice then
we would not continually adding another "die" on the "die die die IKEv1"
routine we seem to do every 9 months. How many "dies" are we up to now?


I did not add killing PSKs to that draft, precisely because some
objected because strong PSK's are stronger than PAKEs.


  Management of such "true random strong PSKs" is a pain which is why
administrators use PSKs that are shorter, easier to remember, and easier to
enter with a high probability of being correct. So a PAKE is just a robust

solution for administrators that will do what we know they're gonna do 
anyway.


Fair enough. Although people configuring Cisco's will use PSK for the
next 20 years even if we got an RFC tomorrow. I still regularly see
modp1024 flying by - in fact more so now because libreswan stopped
supporting it so people upgrading are finally finding out they have
a 15+ year old weak configuration.


  For a site-to-site VPN something like "identity protection" might not be
that big of a deal so there need not be any client provisioning. A simple
phone call between the 2 parties could suffice. If identity protection is
needed, then there's a provisioning step or we do an additional roundtrip.


True as well,

Paul

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec






















					Reply via email to