[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

To: "Iljitsch van Beijnum" <iljitsch@muada.com>, "marcelo bagnulo braun" <marcelo@it.uc3m.es>
Subject: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
From: "Bound, Jim" <Jim.Bound@hp.com>
Date: Wed, 19 Jul 2006 10:13:15 -0400
Cc: "shim6-wg" <shim6@psg.com>
In-reply-to: <707E1238-B1CF-40FB-AFB6-C1BC4E6834ED@muada.com>

You can also assume the security is already protected with Ipsec.  
/jim 

> -----Original Message-----
> From: owner-shim6@psg.com [mailto:owner-shim6@psg.com] On 
> Behalf Of Iljitsch van Beijnum
> Sent: Wednesday, July 19, 2006 9:02 AM
> To: marcelo bagnulo braun
> Cc: shim6-wg
> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> 
> On 19-jul-2006, at 14:39, marcelo bagnulo braun wrote:
> 
> > server certificate are more widely used than client certificates 
> > indeed, but in the case of the shim6 we need certificates for both 
> > ends, so what do we do for securing the client?
> 
> Why? If one end has a certificate the communication can be secure.
> 
> > besides, currently deployed certificates provide binding 
> between FQDNs 
> > and public key.... while in the shim6 we need binding between IP 
> > addresses and public keys, meaning than currently deployed 
> > certificates are not good
> 
> Yes, this involves a trip to the DNS...
> 
> > in addition, using certificates and public key crypto is much more 
> > expensive than CGAs, since they would involve public key operations 
> > not only for the validation of the locator set (as in CGA) but also 
> > for the validation of the certificates themselves (and this costs 
> > grows if the certification chain is long). In addition, 
> there is the 
> > overhead due to the transmission of the certificates in the 
> protocol 
> > itself, including all the certificates in the cert chain, which may 
> > even not fit in a single packet so we may end up neededing to send 
> > multi-packet messages.
> 
> > and all this for every shimmed communication....
> 
> This is certainly true. On the other hand, if the 
> communication is already protected with TLS the _additional_ 
> overhead isn't much.
> 
> Also, I think it would make sense to do the shim negotiation 
> inside a TLS protected TCP session, which should handle all 
> the packet size issues.
> 
> > i thought that one of the key goals in the shim6 design was 
> > efficiency.... such an approach would really move us apart from the 
> > efficiency path...
> 
> HBA is much more efficient so that should stay security 
> option #1, but it would certainly be nice to have an 
> alternative that allows easier implementation of shim6 
> proxies and lets people avoid the patent issues if they want.
> 
>

Follow-Ups:
- Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

References:
- Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by Date: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Previous by thread: Patent issue, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by thread: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Index(es):
- Date
- Thread