[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

To: "marcelo bagnulo braun" <marcelo@it.uc3m.es>
Subject: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
From: "Bound, Jim" <Jim.Bound@hp.com>
Date: Wed, 19 Jul 2006 09:52:01 -0400
Cc: <shim6@psg.com>, "Pekka Savola" <pekkas@netcore.fi>, "Iljitsch van Beijnum" <iljitsch@muada.com>
In-reply-to: <16450eebc1c7e73684d031441e20b5c8@it.uc3m.es>

Hi Marcello,

Well my view is specs cannot make assumptions about market deployment the question first to ask is would IPsec work.  None of us have a crystal ball and our engineering work here is usually focused on the protocol behavior and that it does no harm and does not cause interoperability problems.

/jim 

> -----Original Message-----
> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] 
> Sent: Wednesday, July 19, 2006 5:57 AM
> To: Bound, Jim
> Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> 
> Hi Jim,
> 
> 
> El 11/07/2006, a las 17:25, Bound, Jim escribió:
> 
> > I see this point.  Clearly public or pre-shared PKI has to 
> exist yes.
> > But enclaves of network users will have this association is the 
> > assumption.  So if we are not in some enclave we would need to join 
> > one to send each other files via IPsec with encrypt.  The 
> enclaves are 
> > being built now.
> 
> 
> As i understand it, the only way to make the shim6 security 
> based on IPSec is to assume that a global PKI is deployed, 
> including client certificates (i.e. not only server 
> certificates) so that it is possible to secure any-to-any 
> communication.
> 
>  From what i understand such global pki is not in place yet 
> and it doesn't looks like it will be anytime soon if ever.
> 
> So, i really don't think it is reasonable to build the security on the
> shim6 relying on such global pki deployment
> 
> does anybody think that it would be acceptable to build the 
> shim6 security based on the  assumption of a global PKI deployment?
> 
> Regards, marcelo
> 
> 
> >
> > Sorry I missed your point.
> >
> > /jim
> >
> >> -----Original Message-----
> >> From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
> >> Sent: Tuesday, July 11, 2006 10:19 AM
> >> To: Bound, Jim
> >> Cc: Pekka Savola; shim6@psg.com
> >> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> >>
> >> On 11-jul-2006, at 10:13, Bound, Jim wrote:
> >>
> >>> IPsec is deployed end-to-end for v4 and v6 in production 
> not sure I 
> >>> agree no one knows how to do this and I think I 
> misunderstood your 
> >>> statement below?  Thanks.
> >>
> >> So if I want to send you a file and I want to encrypt it 
> with IPsec, 
> >> how do I do that, without making special arrangements first?
> >>
> >> IPsec is only used for VPN tunnels in practice today.
> >>
> >
> 
>

Follow-Ups:
- Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

References:
- Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: RE: IPsec Issue Discussed for Shim6 at IETF Meeting July 10, 2006
Next by Date: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Previous by thread: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by thread: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Index(es):
- Date
- Thread