[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

To: "marcelo bagnulo braun" <marcelo@it.uc3m.es>
Subject: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
From: "Bound, Jim" <Jim.Bound@hp.com>
Date: Wed, 19 Jul 2006 15:28:13 -0400
Cc: <shim6@psg.com>, "Pekka Savola" <pekkas@netcore.fi>, "Iljitsch van Beijnum" <iljitsch@muada.com>
In-reply-to: <bca1991ddd5c2adf10644042af9361d6@it.uc3m.es>

You and I are disagreeing on where the market is going to go technically.  I don't think we will compromise or that we can converge.  So trying to save a lot of email here.

What we need the working group to discuss now is how much and when do we worry about the market doing our engineering/scientist work to identify a protocol.  I could provide quite a few examples from good IETF work that is RFC that might never be deployed in production.  Also as I said SHIM6 will not be pervasive for at least 5 years in the market and we have time to think there is no rush here at all.  

/jim 

> -----Original Message-----
> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] 
> Sent: Wednesday, July 19, 2006 3:20 PM
> To: Bound, Jim
> Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> 
> 
> El 19/07/2006, a las 20:01, Bound, Jim escribió:
> 
> > I don't agree it is huge deployment obstacle,
> 
> i guess e need to agree to disagree here.
> 
> I certainly think that requiring certificates issued by a 
> global PKIto all the nodes running shim6 is a huge deployment obstacle
> 
> what do others think? does it seems an acceptable apporach to base
> shim6 security in the availability of certificates issue by a 
> global PKI in all shim6 peers?
> 
> >  but if it was it is not our issue here in IETF WG.
> 
> yes it is. because if we propose a protocol that relies on 
> tools that require massive dpeloyment cost, then the protocol 
> is likely to not be deployed so it is a poor solution. As 
> engineers, we need to provide deployable solutions i.e 
> solutions with a reduced deployment costs (in other words, 
> the deployment cost is a factor to be taken into account when 
> evaluating different solutions)
> 
> 
> >   Biometric, Smartcards, LinkIDs can all be preshared and 
> associated 
> > with enclaves per the other thread on end-to-end PKI.
> >
> 
> i am not sure what do you mean here, but i am afraid that of 
> all these abve, only preshared secret and global pki could be 
> used to secure the shim... i don't think biometrics or 
> smarcards can help here..
> 
> 
> regards, marcelo
> 
> 
> 
> > /jim
> >
> >> -----Original Message-----
> >> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> >> Sent: Wednesday, July 19, 2006 11:28 AM
> >> To: Bound, Jim
> >> Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> >> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> >>
> >>
> >> El 19/07/2006, a las 16:52, Bound, Jim escribió:
> >>
> >>> Hi Marcello,
> >>>
> >>> Well my view is specs cannot make assumptions about market
> >> deployment
> >>> the question first to ask is would IPsec work.
> >>
> >> i agree with this
> >>
> >> however, it is imho completelly valid to evaluate 
> different solutions 
> >> based on their deployment costs.
> >>
> >> A solution based on IPSec requires either pre shared keys 
> between all 
> >> the nodes in the internet or certificates for all the nodes of the 
> >> internet. This is a huge deployment obstacle. So this 
> solution does 
> >> present this problem and needs to be taken into account when 
> >> evaluating different solutions. A solution that does not requires 
> >> this would require less deployment effort. Of course this 
> is not the 
> >> only (or even most important) consideration when evaluating 
> >> alternative solutions but it is indeed an important 
> element imho, do 
> >> you agree?
> >>
> >> regards, marcelo
> >>
> >>
> >>>   None of us have a crystal ball and our engineering work here is 
> >>> usually focused on the protocol behavior and that it does
> >> no harm and
> >>> does not cause interoperability problems.
> >>>
> >>> /jim
> >>>
> >>>> -----Original Message-----
> >>>> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> >>>> Sent: Wednesday, July 19, 2006 5:57 AM
> >>>> To: Bound, Jim
> >>>> Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> >>>> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> >>>>
> >>>> Hi Jim,
> >>>>
> >>>>
> >>>> El 11/07/2006, a las 17:25, Bound, Jim escribió:
> >>>>
> >>>>> I see this point.  Clearly public or pre-shared PKI has to
> >>>> exist yes.
> >>>>> But enclaves of network users will have this association is the 
> >>>>> assumption.  So if we are not in some enclave we would
> >> need to join
> >>>>> one to send each other files via IPsec with encrypt.  The
> >>>> enclaves are
> >>>>> being built now.
> >>>>
> >>>>
> >>>> As i understand it, the only way to make the shim6
> >> security based on
> >>>> IPSec is to assume that a global PKI is deployed, 
> including client 
> >>>> certificates (i.e. not only server
> >>>> certificates) so that it is possible to secure any-to-any 
> >>>> communication.
> >>>>
> >>>>  From what i understand such global pki is not in place 
> yet and it 
> >>>> doesn't looks like it will be anytime soon if ever.
> >>>>
> >>>> So, i really don't think it is reasonable to build the 
> security on 
> >>>> the
> >>>> shim6 relying on such global pki deployment
> >>>>
> >>>> does anybody think that it would be acceptable to build the
> >>>> shim6 security based on the  assumption of a global PKI 
> deployment?
> >>>>
> >>>> Regards, marcelo
> >>>>
> >>>>
> >>>>>
> >>>>> Sorry I missed your point.
> >>>>>
> >>>>> /jim
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
> >>>>>> Sent: Tuesday, July 11, 2006 10:19 AM
> >>>>>> To: Bound, Jim
> >>>>>> Cc: Pekka Savola; shim6@psg.com
> >>>>>> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting 
> July 10, 2006
> >>>>>>
> >>>>>> On 11-jul-2006, at 10:13, Bound, Jim wrote:
> >>>>>>
> >>>>>>> IPsec is deployed end-to-end for v4 and v6 in production
> >>>> not sure I
> >>>>>>> agree no one knows how to do this and I think I
> >>>> misunderstood your
> >>>>>>> statement below?  Thanks.
> >>>>>>
> >>>>>> So if I want to send you a file and I want to encrypt it
> >>>> with IPsec,
> >>>>>> how do I do that, without making special arrangements first?
> >>>>>>
> >>>>>> IPsec is only used for VPN tunnels in practice today.
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >
> 
>

Follow-Ups:
- Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

References:
- Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by Date: RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Previous by thread: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by thread: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Index(es):
- Date
- Thread