Re: [IPsec] Last Call: <draft-kivinen-ipsecme-secure-password-framework-01.txt> (Secure Password Framework for IKEv2) to Informational RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think this is a terrible idea. 

IKEv2 has a way for mutual authentication with a shared key.

A concern was raised that this method was vulnerable to guessing if trivial shared keys were configured.

There were several proposals for a better cryptographic method.

The IPsecME working group failed to choose between them. This is not so surprising, because most participants are engineers, not cryptographers. Even those with some cryptographic background stayed silent because choosing between several cryptographic protocols is hard. IETF last calls and the IESG did not help much either.

This draft represents a total shirking of our responsibility. Rather than decide on one protocol that is "best" or even arbitrarily choosing one that is "good enough", it proposes to build a framework so that everyone and their dog can have their own method. This is a nightmare for developers: since you can't know what method the peer will support, you have to implement all of them. 

If this had been a hierarchical organization, some manager would decide which of the methods gets developed (or published) and the others would be relegated to the recycle bin.

The IETF is not like that and we seek to reach consensus. That's a good thing, but this time it's leading us to a really bad solution for interoperability, and a really bad solution for implementers. 

I am opposed to this draft.

Yoav

On Jul 27, 2011, at 12:44 PM, The IESG wrote:

> 
> The IESG has received a request from an individual submitter to consider
> the following document:
> - 'Secure Password Framework for IKEv2'
>  <draft-kivinen-ipsecme-secure-password-framework-01.txt> as an
> Informational RFC
> 
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send substantive comments to the
> ietf@xxxxxxxx mailing lists by 2011-08-24. Exceptionally, comments may be
> sent to iesg@xxxxxxxx instead. In either case, please retain the
> beginning of the Subject line to allow automated sorting.
> 
> Abstract
> 
> 
>   This document creates a generic way for Internet Key Exchange (IKEv2)
>   to use any of the symmetric secure password authentication methods.
>   There are multiple methods already specified in other documents and
>   this document does not add new one.  This document specifies a common
>   way so those methods can agree on which method is to be used in
>   current connection.  This document also provides a common way to
>   transmit secure password authentication method specific payloads
>   between peers.
> 
> 
> 
> 
> The file can be obtained via
> http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-secure-password-framework/
> 
> IESG discussion can be tracked via
> http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-secure-password-framework/
> 
> 
> No IPR declarations have been submitted directly on this I-D.

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]