[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shim6 proxies

To: Erik Nordmark <erik.nordmark@sun.com>
Subject: Re: Shim6 proxies
From: Paul Jakma <paul@clubi.ie>
Date: Thu, 15 Jun 2006 02:14:17 +0100 (IST)
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, marcelo bagnulo braun <marcelo@it.uc3m.es>, shim6-wg <shim6@psg.com>
In-reply-to: <44901C35.1020405@sun.com>
Mail-copies-to: paul@jakma.org
References: <Pine.LNX.4.58.0603271434050.29315@sleibrand-ibm.acs.internap.com> <be3431f1f15b52f98dc22e4edeba3aa2@it.uc3m.es> <Pine.LNX.4.58.0603301131490.15884@sleibrand-ibm.acs.internap.com> <4444313C.7010204@sun.com> <BC7898C5-DAE1-47B0-B125-C811E8F39F23@muada.com> <06b0b71eb68c13e16a6e71e587ce0c32@it.uc3m.es> <36E51BBA-18F9-4823-8EEF-FE75112F5BC4@muada.com> <44901C35.1020405@sun.com>

On Wed, 14 Jun 2006, Erik Nordmark wrote:

The host (which doesn't have a cert) uses HBA. Looks upwww.example.com and gets some IP addresses. The shim6 layer on thehost is told the FQDN for the peer.
During the shim6 context establishment TLS is used, which verifiesthe server's cert.

FWIW: When[1] DNS-Sec is involved, you may well already haveverified credentials for:


- the example.com zone
- the www.example.com address record
- potentially an RSA public key for www.example.com itself

In which case, as an optimisation, the whole TLS setup andverification could be left out - redundant.


1. Which might actually happen within the next few years, as ISC seem
   to be really trying to jump-start deployment.

regards,
--
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Well, you know, no matter where you go, there you are.
		-- Buckaroo Banzai

References:
- Shim6 proxies
  - From: Scott Leibrand <sleibrand@internap.com>
- Re: Shim6 proxies
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: Shim6 proxies
  - From: Scott Leibrand <sleibrand@internap.com>
- Re: Shim6 proxies
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Shim6 proxies
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Shim6 proxies
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: Shim6 proxies
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Shim6 proxies
  - From: Erik Nordmark <erik.nordmark@sun.com>

Prev by Date: Re: Shim6 proxies
Next by Date: RE: I-D ACTION:draft-ietf-shim6-applicability-01.txt
Previous by thread: Re: Shim6 proxies
Next by thread: shim6 proxies
Index(es):
- Date
- Thread