>From a developer point of view, I share the same opinion as Yaron about this issue. Instead of creating new solutions, I personally think that it would be better to offer guidlines on how to implement current solutions (i.e EAP) and provide documents targeting implementers. This would create less confusion and keep IKEv2 a clean, easy to understand and use protocol.
Regards, Matthew 2009/12/1 Yaron Sheffer <yar...@checkpoint.com> > Hi everyone, > > [WG co-chair hat off] > > I believe this effort is misguided, and would be a waste of the WG time. > > EAP was added to IKEv2 to provide "legacy" (a.k.a. password) > authentication. In the past it did not do it very well, but this is > changing. We should improve the use of EAP in IKEv2, rather than replacing > it by a homebrew solution. > > Specifically, the following EAP methods can be used today (or in the near > future) for mutual password-based auth: > > - Dan's own EAP-PWD, > http://tools.ietf.org/html/draft-harkins-emu-eap-pwd-12 > - My EAP-EKE, http://tools.ietf.org/html/draft-sheffer-emu-eap-eke-03 > - The long expired EAP-SRP, > http://tools.ietf.org/html/draft-ietf-pppext-eap-srp-03 > - A rumored EAP method based on the PAK protocol ( > http://tools.ietf.org/html/draft-brusilovsky-pak-10) > > Embedding one of these methods as the single way to do mutual auth in IKE > simply doesn't make sense. > > In addition, SPSK (which is equivalent to EAP-PWD) is a novel crypto > protocol. It has had by far the least crypto review than the other three > protocols. IMHO, this working group should NOT be developing new > cryptographic protocols. This is not where our expertise lies. > > Lastly, one of the major criticisms with IKEv1 was the number of protocol > modes. And here we are, with a proposal to add another mode to IKEv2. > Doesn't seem like a good idea to me. > > Thanks, > Yaron > > > > -----Original Message----- > > From: Dan Harkins [mailto:dhark...@lounge.org] > > Sent: Tuesday, December 01, 2009 1:35 > > To: Yaron Sheffer > > Cc: ipsec@ietf.org > > Subject: Re: [IPsec] Proposed work item: IKEv2 password authentication > > (SPSK) > > > > > > Hello, > > > > As can be inferred by my previous posting on EAP-only authentication, > > I favor this particular method for mutual authentication. > > > > I believe this is a general purpose exchange, useful for more than the > > narrow focus of EAP-only, does not require extraneous encapsulations or > > unnecessary code (ala EAP-only), and is secure regardless of its use > > (unlike EAP-only). > > > > I am committed to working on this as a WG work item. I agree to > continue > > contributing to the text and (co-)authoring the text. I solicit help, and > > support, from those who are interested in this task. > > > > regards, > > > > Dan. > > > > On Sun, November 29, 2009 9:20 am, Yaron Sheffer wrote: > > > This draft proposes a particular method for mutual authentication of > > IKEv2 > > > peers using a short, low quality shared secret (a.k.a. "password"). The > > > proposal is to embed this method in the IKE exchange, rather than use > > EAP. > > > > > > Proposed starting point: > > > http://tools.ietf.org/id/draft-harkins-ipsecme-spsk-auth-00.txt. > > > > > > Please reply to the list: > > > > > > - If this proposal is accepted as a WG work item, are you committing to > > > review multiple versions of the draft? > > > - Are you willing to contribute text to the draft? > > > - Would you like to co-author it? > > > > > > Please also reply to the list if: > > > > > > - You believe this is NOT a reasonable activity for the WG to spend > time > > > on. > > > > > > If this is the case, please explain your position. Do not explore the > > fine > > > technical details (which will change anyway, once the WG gets hold of > > the > > > draft); instead explain why this is uninteresting for the WG or for the > > > industry at large. Also, please mark the title clearly (e.g. "DES40- > > export > > > in IPsec - NO!"). > > > _______________________________________________ > > > IPsec mailing list > > > IPsec@ietf.org > > > https://www.ietf.org/mailman/listinfo/ipsec > > > > > > > > > > > Scanned by Check Point Total Security Gateway. > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
