[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006



Global PKI is not required for certificates that can be done with pre-shared keys too or as we are doing with shim6 out-of-band signaling.  If any here believe IPsec will not be used end-to-end think again please it will.  Ipsec is totally possible and I will not repeat my mail on enclaves for end-to-end PKI as that is a deployment and systems integration implementation issue.

thanks
/jim 

> -----Original Message-----
> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] 
> Sent: Wednesday, July 19, 2006 11:32 AM
> To: Bound, Jim
> Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006 
> 
> 
> El 19/07/2006, a las 16:55, Bound, Jim escribió:
> 
> > I was assuming the node regardless will use IPsec as 
> required.  Thus 
> > it really is not shime6 concern.  But I do not believe no 
> one will not 
> > deploy IPsec because of PKI that is simply not true.
> 
> i agree with this
> 
> 
> but the problem is that if you want to use IPSEc to secure 
> the shim, you need to use certificates, if not the security 
> is not acceptable.
> 
> You need to provide a secure binding between the identifer 
> and the locators. IPSec wihtout certificates does not 
> provides this feature. If you want to use IPSec to secure the 
> shim6 protocol, you need the certificates hence you need the 
> global PKI.
> 
> So in order to evaluate a solution based on IPSec for 
> securing the shim6, you need to consider the fact that a 
> global PKI is required for this.
> 
> Hence, the alternative solution for securing the shim at this 
> point would be IPSec+PKI, agree?
> 
> regards, marcelo
> 
> 
> 
> >   IPsec is deployed today with PKI.
> >
> 
> 
> > /jim
> >
> >> -----Original Message-----
> >> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> >> Sent: Wednesday, July 19, 2006 8:04 AM
> >> To: Francis Dupont
> >> Cc: shim6@psg.com; Bound, Jim; Pekka Savola; Iljitsch van Beijnum
> >> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> >>
> >>
> >> El 19/07/2006, a las 14:38, Francis Dupont escribió:
> >>
> >>> I can't see where Jim proposed to base the Shim6 security
> >> on IPsec...
> >>
> >> in message http://ops.ietf.org/lists/shim6/msg01511.html
> >>
> >> it is stated that:
> >>
> >> Suggestion is to simply embed ULIDs within the data 
> payload with new 
> >> option and secure all communications at least for now for IP layer 
> >> communcatiions with IPsec encryption based on locator pair.
> >>
> >> meaning to use IPSec as an alternative to HBA security
> >>
> >>> (something which is known to require the impossible and even not 
> >>> desirable global PKI :-)
> >>>
> >>
> >> exactly
> >>
> >> Regards, marcelo
> >>
> >>
> >>> Regards
> >>>
> >>> Francis.Dupont@point6.net
> >>>
> >>
> >>
> >
> 
>