[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006


El 19/07/2006, a las 22:28, Bound, Jim escribió:
You and I are disagreeing on where the market is going to go technically. I don't think we will compromise or that we can converge. So trying to save a lot of email here.
What we need the working group to discuss now is how much and when do we worry about the market doing our engineering/scientist work to identify a protocol. 

exactly
i think we (you and me) send enough emails about this point, the point is whether the wg thinks that basing the shim6 security in widespread availability of certificates issued by a global PKI is acceptable or not 

comments form the wg?

regards, marcelo
I could provide quite a few examples from good IETF work that is RFC that might never be deployed in production. Also as I said SHIM6 will not be pervasive for at least 5 years in the market and we have time to think there is no rush here at all. 

/jim


-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 3:20 PM
To: Bound, Jim
Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006


El 19/07/2006, a las 20:01, Bound, Jim escribió:


I don't agree it is huge deployment obstacle,


i guess e need to agree to disagree here.

I certainly think that requiring certificates issued by a
global PKIto all the nodes running shim6 is a huge deployment obstacle

what do others think? does it seems an acceptable apporach to base
shim6 security in the availability of certificates issue by a
global PKI in all shim6 peers?


 but if it was it is not our issue here in IETF WG.


yes it is. because if we propose a protocol that relies on
tools that require massive dpeloyment cost, then the protocol
is likely to not be deployed so it is a poor solution. As
engineers, we need to provide deployable solutions i.e
solutions with a reduced deployment costs (in other words,
the deployment cost is a factor to be taken into account when
evaluating different solutions)



  Biometric, Smartcards, LinkIDs can all be preshared and

associated

with enclaves per the other thread on end-to-end PKI.



i am not sure what do you mean here, but i am afraid that of
all these abve, only preshared secret and global pki could be
used to secure the shim... i don't think biometrics or
smarcards can help here..


regards, marcelo




/jim


-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 11:28 AM
To: Bound, Jim
Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006


El 19/07/2006, a las 16:52, Bound, Jim escribió:


Hi Marcello,

Well my view is specs cannot make assumptions about market

deployment

the question first to ask is would IPsec work.


i agree with this

however, it is imho completelly valid to evaluate

different solutions

based on their deployment costs.

A solution based on IPSec requires either pre shared keys

between all

the nodes in the internet or certificates for all the nodes of the
internet. This is a huge deployment obstacle. So this

solution does

present this problem and needs to be taken into account when
evaluating different solutions. A solution that does not requires
this would require less deployment effort. Of course this

is not the

only (or even most important) consideration when evaluating
alternative solutions but it is indeed an important

element imho, do

you agree?

regards, marcelo



  None of us have a crystal ball and our engineering work here is
usually focused on the protocol behavior and that it does

no harm and

does not cause interoperability problems.

/jim


-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 5:57 AM
To: Bound, Jim
Cc: shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

Hi Jim,


El 11/07/2006, a las 17:25, Bound, Jim escribió:


I see this point.  Clearly public or pre-shared PKI has to

exist yes.

But enclaves of network users will have this association is the
assumption.  So if we are not in some enclave we would

need to join

one to send each other files via IPsec with encrypt.  The

enclaves are

being built now.



As i understand it, the only way to make the shim6

security based on

IPSec is to assume that a global PKI is deployed,

including client

certificates (i.e. not only server
certificates) so that it is possible to secure any-to-any
communication.

 From what i understand such global pki is not in place

yet and it

doesn't looks like it will be anytime soon if ever.

So, i really don't think it is reasonable to build the

security on

the
shim6 relying on such global pki deployment

does anybody think that it would be acceptable to build the
shim6 security based on the  assumption of a global PKI

deployment?


Regards, marcelo




Sorry I missed your point.

/jim


-----Original Message-----
From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
Sent: Tuesday, July 11, 2006 10:19 AM
To: Bound, Jim
Cc: Pekka Savola; shim6@psg.com
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting

July 10, 2006


On 11-jul-2006, at 10:13, Bound, Jim wrote:


IPsec is deployed end-to-end for v4 and v6 in production

not sure I

agree no one knows how to do this and I think I

misunderstood your

statement below?  Thanks.


So if I want to send you a file and I want to encrypt it

with IPsec,

how do I do that, without making special arrangements first?

IPsec is only used for VPN tunnels in practice today.