I think this is a terrible idea. 

IKEv2 has a way for mutual authentication with a shared key.

A concern was raised that this method was vulnerable to guessing if trivial 
shared keys were configured.

There were several proposals for a better cryptographic method.

The IPsecME working group failed to choose between them. This is not so 
surprising, because most participants are engineers, not cryptographers. Even 
those with some cryptographic background stayed silent because choosing between 
several cryptographic protocols is hard. IETF last calls and the IESG did not 
help much either.

This draft represents a total shirking of our responsibility. Rather than 
decide on one protocol that is "best" or even arbitrarily choosing one that is 
"good enough", it proposes to build a framework so that everyone and their dog 
can have their own method. This is a nightmare for developers: since you can't 
know what method the peer will support, you have to implement all of them. 

If this had been a hierarchical organization, some manager would decide which 
of the methods gets developed (or published) and the others would be relegated 
to the recycle bin.

The IETF is not like that and we seek to reach consensus. That's a good thing, 
but this time it's leading us to a really bad solution for interoperability, 
and a really bad solution for implementers. 

I am opposed to this draft.


On Jul 27, 2011, at 12:44 PM, The IESG wrote:

> The IESG has received a request from an individual submitter to consider
> the following document:
> - 'Secure Password Framework for IKEv2'
>  <draft-kivinen-ipsecme-secure-password-framework-01.txt> as an
> Informational RFC
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send substantive comments to the
> i...@ietf.org mailing lists by 2011-08-24. Exceptionally, comments may be
> sent to i...@ietf.org instead. In either case, please retain the
> beginning of the Subject line to allow automated sorting.
> Abstract
>   This document creates a generic way for Internet Key Exchange (IKEv2)
>   to use any of the symmetric secure password authentication methods.
>   There are multiple methods already specified in other documents and
>   this document does not add new one.  This document specifies a common
>   way so those methods can agree on which method is to be used in
>   current connection.  This document also provides a common way to
>   transmit secure password authentication method specific payloads
>   between peers.
> The file can be obtained via
> http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-secure-password-framework/
> IESG discussion can be tracked via
> http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-secure-password-framework/
> No IPR declarations have been submitted directly on this I-D.

IPsec mailing list

Reply via email to