[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec !?, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006



 In your previous mail you wrote:

   > > Of course, we would have a very simple way out of this debate by
   > > mandating IPSEC, or more precisely only solving the "session
   > > continuity"
   > > problem if IPSEC is used.
   > 
   > IPsec keeps coming up but so far, nobody has been able to explain how
   > to make IPsec work between random hosts connected to the internet that
   > don't have any shared state yet.
   
   And how exactly is that harder than convincing random hosts that have no
   shared state to trust HBA or CGA information?

=> HBA or CGA are self contained, IKE requires strong authentication
which can work only with an infrastructure or shared state.

   In theory, one can use the same validation for IKE that one is
   ready to use for SHIM6,

=> no, this is the opposite: authentication is stronger than ownership,
which is stronger than address sharing, so IKE > CGA > HBA, and one
idea is to use IPsec/IKE to provide SHIM6 security when for other reasons
IPsec/IKE is already available (exactly the same limited applicability
than the IPsec to protect MIPv6 MN-CN routing optimization).

   and reuse IKEv2,

=> I agree for a "reuse" when we have already the "use".

   MOBIKE

=> MOBIKE has in fact not directly usable for multihoming (which was not
in its real (i.e., not the IETF) charter).

   and the like.
   
Regards

Francis.Dupont@point6.net