AW: RADEXT Milestone revisions

["Tschofenig, Hannes" <hannes.tschofenig@siemens.com>]

Hi Glen, 

> > ok. that's a different story. i remember these two proposals. what i
> > disliked with them was that they do not provide a solution for
> > dynamic authentication and key management. 
> 
> What do you mean by "dynamic authentication and key management"?

Let me give you two examples:

1) IPsec

IPsec AH and IPsec ESP can be used with manually configured IPsec SAs.
You just need to create two SAs (symmetric key, algorithms, ..) at each
end point (if you want to protect the traffic in both directions). 

Alternatively, you can use IKEv2 (or IKEv2) to establish these security
associations. The advantage: you use a signaling protocol for
authentication and key management. 

2) TLS

The TLS Record Layer provides protection of the data traffic. In order
to be used you need to have fresh keying material suitable for the
record layer available. 

Since the TLS Record Layer and the TLS Handshake protocol are tightly
coupled within TLS you need to run the Handshake protocol to run the
authentication and key exchange protocol to establish the necessary
keying material. 

Currently it seems that you worry about the actual protection of the
keying material delivery but you don't worry about the other part of the
story. 
 

Ciao
Hannes
> 
> > why isn't something
> > tackling this issue? this would also solve the aspect of algorithm
> > negotiation. wouldn't be something like radius domain of
> > interopretation for isakmp be appropriate here.
>     
> ...
> 
> ~gwz
> 
> Why is it that most of the world's problems can't be solved by simply
>   listening to John Coltrane? -- Henry Gabriel
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>