No surprise at all - I used the term "non-IETF extension". As long as
your extension goes through proper IETF process/review, I'm fine with
it. I might even support it, since I agree that it adds security to
IKEv1/PSK. Other people might argue that we shouldn't confuse the
industry by adding major new pieces to IKEv1.
On 02/11/2012 12:45 AM, Dan Harkins wrote:
> On Fri, February 10, 2012 12:13 pm, Yaron Sheffer wrote:
>> Hi Paul,
>> sorry, I don't understand your statement. Yes, IKEv1 is popular but
>> (formally) obsolete. It is still our responsibility to ensure that it
>> doesn't gain new and insecure extensions in its old age. The way we do
>> it is through the normal IETF/RFC-Ed/IANA bureaucratic processes.
>> Unlike Tero, I don't think people will be adding non-IETF extensions of
>> this sort to IKEv1. New crypto algorithms, maybe. But new authentication
>> methods? I'd be surprised.
> SURPRISE! It's me. And I want to add a new authentication method
> to IKEv1. New, yes; insecure, no. In fact, it makes things _more_ secure
> because it obviates the need for insecure extensions that have been added
> to IKEv1 and widely implemented, like XAUTH, because it removes the
> requirement that a PSK be bound to an IP address and it is resistant to
> dictionary attack.
> (And now that I have mentioned this, will you be surprising yourself
> by proposing a new authentication method for IKEv1 that is resistant to
> dictionary attack?)