El 19/07/2006, a las 18:35, Ahrenholz, Jeffrey M escribió:
To throw 2-cents into this conversation, the SIDR WG seems to be considering a global PKI, albeit for BGP routers and not end hosts. (http://www3.ietf.org/proceedings/06mar/slides/sidr-1.pdf)
right...but this seems to be quite different that what is needded for the shim6...
i mean for the shim6 protocol to work, we would need certificates that bind the address itself with the public key, wwhile what sidr is after is a certificate that binds prefixes announced in the global routing table with public keys (as far as i understand, and i am not followwing this work very closely, so please correct me if i am wrong (i know you will :-)
So even if you did have the sidr like global pki, you would still need to deploy host certificates to all hosts and renew those and so on. since the owner of the certificates used in sidr are the bgp players, creating the cert chain all the way down to the hosts may involve cosniderable deployment costs
regards, marcelo
-JeffAs i understand it, the only way to make the shim6 security based on IPSec is to assume that a global PKI is deployed, including client certificates (i.e. not only server certificates) so that it is possible to secure any-to-any communication. From what i understand such global pki is not in place yet and it doesn't looks like it will be anytime soon if ever.