[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RADEXT Milestone revisions

To: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
Subject: RE: RADEXT Milestone revisions
From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
Date: Wed, 22 Feb 2006 15:47:34 -0800
Cc: "Nelson, David" <dnelson@enterasys.com>, <radiusext@ops.ietf.org>

Tschofenig, Hannes <mailto:hannes.tschofenig@siemens.com> supposedly scribbled:

> Hi Glen,
> 
>>> ok. that's a different story. i remember these two proposals. what i
>>> disliked with them was that they do not provide a solution for
>>> dynamic authentication and key management.
>> 
>> What do you mean by "dynamic authentication and key management"?
> 
> Let me give you two examples:
> 
> 1) IPsec
> 
> IPsec AH and IPsec ESP can be used with manually configured IPsec SAs.
> You just need to create two SAs (symmetric key, algorithms, ..) at
> each end point (if you want to protect the traffic in both
> directions).  
> 
> Alternatively, you can use IKEv2 (or IKEv2) to establish these
> security associations. The advantage: you use a signaling protocol
> for authentication and key management.  
> 
> 2) TLS
> 
> The TLS Record Layer provides protection of the data traffic. In
> order to be used you need to have fresh keying material suitable for
> the record layer available.  
> 
> Since the TLS Record Layer and the TLS Handshake protocol are tightly
> coupled within TLS you need to run the Handshake protocol to run the
> authentication and key exchange protocol to establish the necessary
> keying material.   
> 
> Currently it seems that you worry about the actual protection of the
> keying material delivery but you don't worry about the other part of
> the story.  

On the contrary, I'm quite concerned about the stuff you're talking about; problem is, the IETF is apparently not.

> 
> 
> Ciao
> Hannes
>> 
>>> why isn't something
>>> tackling this issue? this would also solve the aspect of algorithm
>>> negotiation. wouldn't be something like radius domain of
>>> interopretation for isakmp be appropriate here.
>> 
>> ...
>> 
>> ~gwz
>> 
>> Why is it that most of the world's problems can't be solved by simply
>>   listening to John Coltrane? -- Henry Gabriel

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: I-D ACTION:draft-ietf-radext-vlan-00.txt
Next by Date: RE: RADEXT Milestone revisions
Previous by thread: RE: RADEXT Milestone revisions
Next by thread: RE: RADEXT Milestone revisions
Index(es):
- Date
- Thread