Re: [IPsec] Possible update to isakmp-registry

To: "Yaron Sheffer" <yaronf.ietf at gmail.com>
Subject: Re: [IPsec] Possible update to isakmp-registry
From: "Dan Harkins" <dharkins at lounge.org>
Date: Fri, 10 Feb 2012 14:45:15 -0800 (PST)
Cc: ipsec at ietf.org, turners at ieca.com, Paul Hoffman <paul.hoffman at vpnc.org>, kivinen at iki.fi, stephen.farrell at cs.tcd.ie
Delivered-to: ipsec at ietfa.amsl.com
Importance: Normal
In-reply-to: <4F357A65.20606 at gmail.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <RT-Ticket-111200 at icann.org> <rt-3.8.HEAD-29275-1311783924-532.111200-7-0 at icann.org> <rt-3.8.HEAD-15630-1318444488-609.111200-7-0 at icann.org> <rt-3.8.HEAD-11399-1320163223-1013.111200-7-0 at icann.org> <20162.16194.361337.415232 at fireball.kivinen.iki.fi> <rt-3.8.HEAD-5313-1321353058-1814.111200-7-0 at icann.org> <rt-3.8.HEAD-26615-1325909894-588.111200-7-0 at icann.org> <20235.3284.301719.250098 at fireball.kivinen.iki.fi> <rt-3.8.HEAD-8934-1326126279-1071.111200-7-0 at icann.org> <rt-3.8.HEAD-25431-1328666879-1704.111200-7-0 at icann.org> <4F340992.5030502 at gmail.com> <372E1EC3-5516-447F-AC27-89E584418135 at vpnc.org> <4F357A65.20606 at gmail.com>
User-agent: SquirrelMail/1.4.14 [SVN]

On Fri, February 10, 2012 12:13 pm, Yaron Sheffer wrote:
> Hi Paul,
>
> sorry, I don't understand your statement. Yes, IKEv1 is popular but
> (formally) obsolete. It is still our responsibility to ensure that it
> doesn't gain new and insecure extensions in its old age. The way we do
> it is through the normal IETF/RFC-Ed/IANA bureaucratic processes.
>
> Unlike Tero, I don't think people will be adding non-IETF extensions of
> this sort to IKEv1. New crypto algorithms, maybe. But new authentication
> methods? I'd be surprised.

  SURPRISE! It's me. And I want to add a new authentication method
to IKEv1. New, yes; insecure, no. In fact, it makes things _more_ secure
because it obviates the need for insecure extensions that have been added
to IKEv1 and widely implemented, like XAUTH, because it removes the
requirement that a PSK be bound to an IP address and it is resistant to
dictionary attack.

  (And now that I have mentioned this, will you be surprising yourself
by proposing a new authentication method for IKEv1 that is resistant to
dictionary attack?)

  Dan.

Follow-Ups:
- Re: [IPsec] Possible update to isakmp-registry
  - From: Yaron Sheffer

References:
- [IPsec] [IANA #111200] [old message] Possible update to isakmp-registry
  - From: Tero Kivinen
- [IPsec] [IANA #111200] [old message] Possible update to isakmp-registry
  - From: Pearl Liang via RT
- Re: [IPsec] [IANA #111200] [old message] Possible update to isakmp-registry
  - From: Yaron Sheffer
- Re: [IPsec] [IANA #111200] [old message] Possible update to isakmp-registry
  - From: Paul Hoffman
- Re: [IPsec] Possible update to isakmp-registry
  - From: Yaron Sheffer

Prev by Date: Re: [IPsec] Possible update to isakmp-registry
Next by Date: Re: [IPsec] Possible update to isakmp-registry
Previous by thread: Re: [IPsec] Possible update to isakmp-registry
Next by thread: Re: [IPsec] Possible update to isakmp-registry
Index(es):
- Date
- Thread

Re: [IPsec] Possible update to isakmp-registry

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.