[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006


El 19/07/2006, a las 17:37, Bound, Jim escribió:


I don't think we can ever require that and nor have we in any spec.


agree
but if the security of the shim is based on IPSec, then the shim can only be used securely if the peers have either certificates or preshared keys.
In other words, we would be not imposing that PKI is deployed but basing the shim6 security on IPSec is requiring the availablity of certificates for both peers in order to be able to use the shim. If no certificates are available at the peers, the shim6 protocol cannot be used safely 

Regards, marcelo
Preshared keys work but the point is that is a market decision not an IETF decision. We build the protocols with operational guidance in some cases whether or how they are used in the market is a red herring for our work to keep moving forward. We are more like scientists not marketing and business people. 
/jim


-----Original Message-----
From: Fiumano, Michael F [NTK] [mailto:Michael.F.Fiumano@sprint.com]
Sent: Wednesday, July 19, 2006 10:25 AM
To: Bound, Jim; marcelo bagnulo braun; Francis Dupont
Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
Subject: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

Very few who use IPSec also use PKI.  Most use a pre-shared
key.  I hope that no one is requiring that a PKI be in place
in order to use shim6.

Michael Fiumano
Senior Network Engineer
IP Core Infrastructure
703-689-5875 Wk
703-598-2434 Cel
michael.f.fiumano@sprint.com




-----Original Message-----
From: owner-shim6@psg.com [mailto:owner-shim6@psg.com] On
Behalf Of Bound, Jim
Sent: Wednesday, July 19, 2006 9:55 AM
To: marcelo bagnulo braun; Francis Dupont
Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
Subject: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

I was assuming the node regardless will use IPsec as
required.  Thus it really is not shime6 concern.  But I do
not believe no one will not deploy IPsec because of PKI that
is simply not true.  IPsec is deployed today with PKI.

/jim


-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 8:04 AM
To: Francis Dupont
Cc: shim6@psg.com; Bound, Jim; Pekka Savola; Iljitsch van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006


El 19/07/2006, a las 14:38, Francis Dupont escribió:


I can't see where Jim proposed to base the Shim6 security

on IPsec...

in message http://ops.ietf.org/lists/shim6/msg01511.html

it is stated that:

Suggestion is to simply embed ULIDs within the data payload

with new

option and secure all communications at least for now for IP layer
communcatiions with IPsec encryption based on locator pair.

meaning to use IPSec as an alternative to HBA security


(something which is known to require the impossible and even not
desirable global PKI :-)



exactly

Regards, marcelo



Regards

Francis.Dupont@point6.net