[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006




El 19/07/2006, a las 18:35, Ahrenholz, Jeffrey M escribió:

To throw 2-cents into this conversation, the SIDR WG seems to be
considering a global PKI, albeit for BGP routers and not end hosts.
(http://www3.ietf.org/proceedings/06mar/slides/sidr-1.pdf)


right...

but this seems to be quite different that what is needded for the shim6...

i mean for the shim6 protocol to work, we would need certificates that bind the address itself with the public key, wwhile what sidr is after is a certificate that binds prefixes announced in the global routing table with public keys (as far as i understand, and i am not followwing this work very closely, so please correct me if i am wrong (i know you will :-)

So even if you did have the sidr like global pki, you would still need to deploy host certificates to all hosts and renew those and so on. since the owner of the certificates used in sidr are the bgp players, creating the cert chain all the way down to the hosts may involve cosniderable deployment costs

regards, marcelo




-Jeff

As i understand it, the only way to make the shim6 security based on
IPSec is to assume that a global PKI is deployed, including client
certificates (i.e. not only server certificates) so that it
is possible to secure any-to-any communication.

 From what i understand such global pki is not in place yet and it
doesn't looks like it will be anytime soon if ever.