Re: Security Module for shim6 or hip really

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

Hi Jim,

El 19/07/2006, a las 17:19, Bound, Jim escribió:

> A suggestion proposed at the Montreal IETF SHIM6 WG meeting was to 
> treat
> the security of ULIDs as module (abstractly speaking) for SHIM6 where
> the user or implementer can plug in different solutions.  We would
> abstract out ULID processing for security so that multiple solutions
> could be used.

well, this is at some extent already the case...

i mean the base protocol has support for multiple security mechanisms 
including CGA and HBA but it leaves the door open to other solutions to 
protect the binding

However, the problem is that imho we need to standarize at least one of 
the security mechanisms, if not the shim6 protocol is simply useless

the current draft proposes two mechanisms the CGA and the HBAs (and 
implementation can implement just one of them)

i guess that the ongoing discussion is whether we can change the 
deafult mechanisms for other alternative ones.

Regards, marcelo


>   Each solution would be its own IETF draft specification
> and IETF discussion with close collaboration with the IETF Security
> Area.  I think this would be doing proper engineering diligence for 
> this
> problem and we can explore HBA, TLS, IPsec and even other options.  
> This
> also would permit the shim6 spec to move forward and provide a security
> note in the spec and avoid the in process IPR debate for CGA.
>
> Thoughts?
>
> /jim