[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: RADEXT Milestone revisions
Tschofenig, Hannes <mailto:email@example.com> supposedly scribbled:
> Hi Glen,
>>> ok. that's a different story. i remember these two proposals. what i
>>> disliked with them was that they do not provide a solution for
>>> dynamic authentication and key management.
>> What do you mean by "dynamic authentication and key management"?
> Let me give you two examples:
> 1) IPsec
> IPsec AH and IPsec ESP can be used with manually configured IPsec SAs.
> You just need to create two SAs (symmetric key, algorithms, ..) at
> each end point (if you want to protect the traffic in both
> Alternatively, you can use IKEv2 (or IKEv2) to establish these
> security associations. The advantage: you use a signaling protocol
> for authentication and key management.
> 2) TLS
> The TLS Record Layer provides protection of the data traffic. In
> order to be used you need to have fresh keying material suitable for
> the record layer available.
> Since the TLS Record Layer and the TLS Handshake protocol are tightly
> coupled within TLS you need to run the Handshake protocol to run the
> authentication and key exchange protocol to establish the necessary
> keying material.
> Currently it seems that you worry about the actual protection of the
> keying material delivery but you don't worry about the other part of
> the story.
On the contrary, I'm quite concerned about the stuff you're talking about; problem is, the IETF is apparently not.
>>> why isn't something
>>> tackling this issue? this would also solve the aspect of algorithm
>>> negotiation. wouldn't be something like radius domain of
>>> interopretation for isakmp be appropriate here.
>> Why is it that most of the world's problems can't be solved by simply
>> listening to John Coltrane? -- Henry Gabriel
Hope this helps,
Why is it that most of the world's problems can't be solved by simply
listening to John Coltrane? -- Henry Gabriel
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.