[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006




El 19/07/2006, a las 20:01, Bound, Jim escribió:

I don't agree it is huge deployment obstacle,

i guess e need to agree to disagree here.

I certainly think that requiring certificates issued by a global PKIto all the nodes running shim6 is a huge deployment obstacle

what do others think? does it seems an acceptable apporach to base shim6 security in the availability of certificates issue by a global PKI in all shim6 peers?

 but if it was it is not our issue here in IETF WG.

yes it is. because if we propose a protocol that relies on tools that require massive dpeloyment cost, then the protocol is likely to not be deployed so it is a poor solution. As engineers, we need to provide deployable solutions i.e solutions with a reduced deployment costs (in other words, the deployment cost is a factor to be taken into account when evaluating different solutions)


Biometric, Smartcards, LinkIDs can all be preshared and associated with enclaves per the other thread on end-to-end PKI.


i am not sure what do you mean here, but i am afraid that of all these abve, only preshared secret and global pki could be used to secure the shim... i don't think biometrics or smarcards can help here..


regards, marcelo



/jim

-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 11:28 AM
To: Bound, Jim
Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006


El 19/07/2006, a las 16:52, Bound, Jim escribió:

Hi Marcello,

Well my view is specs cannot make assumptions about market
deployment
the question first to ask is would IPsec work.

i agree with this

however, it is imho completelly valid to evaluate different
solutions based on their deployment costs.

A solution based on IPSec requires either pre shared keys
between all the nodes in the internet or certificates for all
the nodes of the internet. This is a huge deployment
obstacle. So this solution does present this problem and
needs to be taken into account when evaluating different
solutions. A solution that does not requires this would
require less deployment effort. Of course this is not the
only (or even most important) consideration when evaluating
alternative solutions but it is indeed an important element
imho, do you agree?

regards, marcelo


  None of us have a crystal ball and our engineering work here is
usually focused on the protocol behavior and that it does
no harm and
does not cause interoperability problems.

/jim

-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 5:57 AM
To: Bound, Jim
Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

Hi Jim,


El 11/07/2006, a las 17:25, Bound, Jim escribió:

I see this point.  Clearly public or pre-shared PKI has to
exist yes.
But enclaves of network users will have this association is the
assumption.  So if we are not in some enclave we would
need to join
one to send each other files via IPsec with encrypt.  The
enclaves are
being built now.


As i understand it, the only way to make the shim6
security based on
IPSec is to assume that a global PKI is deployed, including client
certificates (i.e. not only server
certificates) so that it is possible to secure any-to-any
communication.

 From what i understand such global pki is not in place yet and it
doesn't looks like it will be anytime soon if ever.

So, i really don't think it is reasonable to build the security on
the
shim6 relying on such global pki deployment

does anybody think that it would be acceptable to build the
shim6 security based on the  assumption of a global PKI deployment?

Regards, marcelo



Sorry I missed your point.

/jim

-----Original Message-----
From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
Sent: Tuesday, July 11, 2006 10:19 AM
To: Bound, Jim
Cc: Pekka Savola; shim6@psg.com
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

On 11-jul-2006, at 10:13, Bound, Jim wrote:

IPsec is deployed end-to-end for v4 and v6 in production
not sure I
agree no one knows how to do this and I think I
misunderstood your
statement below?  Thanks.

So if I want to send you a file and I want to encrypt it
with IPsec,
how do I do that, without making special arrangements first?

IPsec is only used for VPN tunnels in practice today.