[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
What I glean (using this word on purpose) is I entrust the encryption
and as I stated this only secures layer 3 for Shim6. Once the processes
after IPsec happen another level of Security can begin at the Shim layer
or transport layer for the ULIDs. That way we can plug and play various
solutions at that point I think as you suggest below if I read your mail
correctly?
Best,
/jimb
> -----Original Message-----
> From: Pekka Savola [mailto:pekkas@netcore.fi]
> Sent: Tuesday, July 11, 2006 8:01 AM
> To: Bound, Jim
> Cc: shim6@psg.com
> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
>
> On Tue, 11 Jul 2006, Bound, Jim wrote:
> > Recommendation: For now remove HBA and the use of ULID security
> > specifying HBA and leave it as work to be completed that
> avoids this
> > IPR problem with CGA. Suggestion is to simply embed ULIDs
> within the
> > data payload with new option and secure all communications at least
> > for now for IP layer communcatiions with IPsec encryption
> based on locator pair.
> > Separating the movement of Shim6 to proposed standard from
> the issue
> > of ULID security using HBA.
>
> How could this any-to-any IPsec (no prior relation to your
> peers can be assumed) be made to work?` Are you suggesting
> using BTNS, opportunistic IPsec, and/or something else? What
> would be the impact on security of our solution?
>
> I think this potential solution path was hinted at the
> security directorate review we got some time ago, but as Jari
> Arkko said, it wasn't clear whether secdir fully understood
> the implications what using for example IPsec might mean for
> the solution.
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>