My initial inclination is to say that won't fly: that many deployments still require preshared key authentication. Rather, they would object to certificates because of perceived complexity. That said, I could see arguments that what we're discussing are already fairly sophisticated topologies, so perhaps the certificate allergy doesn't hold?
On Mar 24, 2012, at 3:05 AM, "Tero Kivinen" <kivinen@...> wrote:
> Praveen Sathyanarayan writes:
>> Yes. If certificate based authentication was used in the network, there is
>> no need of new credentials. But if pre-shared key based was used, then we
>> need this "temporary credentials". Also, it is required to define the
>> lifetime of this "temporary credentials". For example, if tunnel between
>> spokes are stays beyond lifetime of SA, then can the same "temporary
>> credentials" can be used for rekey? Or new "temporary credentials" should
>> be received from Hub?
> That starts to sound like certificates... One of the ways to do this
> is to always use certificates in the on-demand direct vpn connections.
> I.e if the peer A normally authenticates itself with PSK to the hub,
> it would then create private key, give it to the hub, which would sign
> it with hub-only configuration trust anchor, and then other peers
> could use that key.
> Or another way would be to use raw public keys, but then we do not
> have the things like validity periods etc.
> As X.509 certificate authentication support is already MANDATORY to
> support in all implementations, that could be the easiest way forward.