mcr at sandelman.ottawa.on.ca
Mon Mar 20 11:18:25 PST 2006
-----BEGIN PGP SIGNED MESSAGE-----
> and Key IDs . All require either CA-signed certificates or pre-
> shared secrets to authenticate. These can be roughly categorized into
> network layer identifiers and other identifiers.
>2.1.2. Authentication Methods
> As described earlier, CA-signed certificates and pre-shared secrets
> are the only methods of authentications accepted by current IPsec and
> IKE specifications. Pre-shared secrets require manual configuration
This is false.
There is nothing in IKEv1 or IKEv2 that says that you have to use a
CA-signed certificate to us RSASIG authentication.
As implementation proof, there is the Openswan/Freeswan/Strongswan, and
ncp.de (for windows) that provides raw rsa key usage with RSASIG.
Self-signed certificates are widely used as well, both by *swan, and
also by racoon, SSH/Safenet, and others.
The fact that these things need to be pre-exchanged is irrelevant, as so
The fact of the matter is that a multitude of IPsec vendors have made it
very hard to use RSASIG mode in any kind of small-scale deployment.
These systems simply do not scale: scaling is about working with 2
machines as well as with 2million.
Just working for 2 million nodes is not "scaling".
By stating the above you are propogating the myth that "PK is hard"
(Think of that in a "math-is-hard" Barbie voice). It isn't. It's the "I"
part that is hard, particularly if you wish to work without pre-deployed
infrastructure, which Joe does.
I can not suggest text, because I think worrying about how hard
certificates are to get is totally irrelevant. I would just say that
pre-arranging appropriate, mutually trusted authentication systems is
hard, particularly when the connection crosses organizationational
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the ANONSEC