Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

El 19/07/2006, a las 20:01, Bound, Jim escribió:

> I don't agree it is huge deployment obstacle,

i guess e need to agree to disagree here.

I certainly think that requiring certificates issued by a global PKIto 
all the nodes running shim6 is a huge deployment obstacle

what do others think? does it seems an acceptable apporach to base 
shim6 security in the availability of certificates issue by a global 
PKI in all shim6 peers?

>  but if it was it is not our issue here in IETF WG.

yes it is. because if we propose a protocol that relies on tools that 
require massive dpeloyment cost, then the protocol is likely to not be 
deployed so it is a poor solution. As engineers, we need to provide 
deployable solutions i.e solutions with a reduced deployment costs (in 
other words, the deployment cost is a factor to be taken into account 
when evaluating different solutions)


>   Biometric, Smartcards, LinkIDs can all be preshared and associated 
> with enclaves per the other thread on end-to-end PKI.

i am not sure what do you mean here, but i am afraid that of all these 
abve, only preshared secret and global pki could be used to secure the 
shim... i don't think biometrics or smarcards can help here..


regards, marcelo



> /jim
>
> > -----Original Message-----
> > From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> > Sent: Wednesday, July 19, 2006 11:28 AM
> > To: Bound, Jim
> > Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> > Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> >
> >
> > El 19/07/2006, a las 16:52, Bound, Jim escribió:
> >
> > > Hi Marcello,
> > >
> > > Well my view is specs cannot make assumptions about market
> > deployment
> > > the question first to ask is would IPsec work.
> >
> > i agree with this
> >
> > however, it is imho completelly valid to evaluate different
> > solutions based on their deployment costs.
> >
> > A solution based on IPSec requires either pre shared keys
> > between all the nodes in the internet or certificates for all
> > the nodes of the internet. This is a huge deployment
> > obstacle. So this solution does present this problem and
> > needs to be taken into account when evaluating different
> > solutions. A solution that does not requires this would
> > require less deployment effort. Of course this is not the
> > only (or even most important) consideration when evaluating
> > alternative solutions but it is indeed an important element
> > imho, do you agree?
> >
> > regards, marcelo
> >
> >
> > >   None of us have a crystal ball and our engineering work here is
> > > usually focused on the protocol behavior and that it does
> > no harm and
> > > does not cause interoperability problems.
> > >
> > > /jim
> > >
> > > > -----Original Message-----
> > > > From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> > > > Sent: Wednesday, July 19, 2006 5:57 AM
> > > > To: Bound, Jim
> > > > Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> > > > Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> > > >
> > > > Hi Jim,
> > > >
> > > >
> > > > El 11/07/2006, a las 17:25, Bound, Jim escribió:
> > > >
> > > > > I see this point.  Clearly public or pre-shared PKI has to
> > > > exist yes.
> > > > > But enclaves of network users will have this association is the
> > > > > assumption.  So if we are not in some enclave we would
> > need to join
> > > > > one to send each other files via IPsec with encrypt.  The
> > > > enclaves are
> > > > > being built now.
> > > >
> > > >
> > > > As i understand it, the only way to make the shim6
> > security based on
> > > > IPSec is to assume that a global PKI is deployed, including client
> > > > certificates (i.e. not only server
> > > > certificates) so that it is possible to secure any-to-any
> > > > communication.
> > > >
> > > >  From what i understand such global pki is not in place yet and it
> > > > doesn't looks like it will be anytime soon if ever.
> > > >
> > > > So, i really don't think it is reasonable to build the security on
> > > > the
> > > > shim6 relying on such global pki deployment
> > > >
> > > > does anybody think that it would be acceptable to build the
> > > > shim6 security based on the  assumption of a global PKI deployment?
> > > >
> > > > Regards, marcelo
> > > >
> > > >
> > > > > Sorry I missed your point.
> > > > >
> > > > > /jim
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
> > > > > > Sent: Tuesday, July 11, 2006 10:19 AM
> > > > > > To: Bound, Jim
> > > > > > Cc: Pekka Savola; shim6@psg.com
> > > > > > Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> > > > > >
> > > > > > On 11-jul-2006, at 10:13, Bound, Jim wrote:
> > > > > >
> > > > > > > IPsec is deployed end-to-end for v4 and v6 in production
> > > > not sure I
> > > > > > > agree no one knows how to do this and I think I
> > > > misunderstood your
> > > > > > > statement below?  Thanks.
> > > > > >
> > > > > > So if I want to send you a file and I want to encrypt it
> > > > with IPsec,
> > > > > > how do I do that, without making special arrangements first?
> > > > > >
> > > > > > IPsec is only used for VPN tunnels in practice today.