Re: IPsec !?, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

El 28/07/2006, a las 9:45, Francis Dupont escribió:

>  In your previous mail you wrote:
>
> > > Of course, we would have a very simple way out of this debate by
> > > mandating IPSEC, or more precisely only solving the "session
> > > continuity"
> > > problem if IPSEC is used.
> >
> > IPsec keeps coming up but so far, nobody has been able to explain how
> > to make IPsec work between random hosts connected to the internet that
> > don't have any shared state yet.
>
>    And how exactly is that harder than convincing random hosts that 
> have no
>    shared state to trust HBA or CGA information?
>
> => HBA or CGA are self contained, IKE requires strong authentication
> which can work only with an infrastructure or shared state.
>
>    In theory, one can use the same validation for IKE that one is
>    ready to use for SHIM6,
>
> => no, this is the opposite: authentication is stronger than ownership,
> which is stronger than address sharing, so IKE > CGA > HBA, and one
> idea is to use IPsec/IKE to provide SHIM6 security when for other 
> reasons
> IPsec/IKE is already available (exactly the same limited applicability
> than the IPsec to protect MIPv6 MN-CN routing optimization).
>
>    and reuse IKEv2,
>
> => I agree for a "reuse" when we have already the "use".

i think i fully agree here, but just to state things clear, there is no 
general any-to-any mechanism to prove address ownership using IPSec 
which is what is provided by CGA/HBA, this is why IPSec is not a 
possible substitute to HBA/CGA in shim

regards, marcelo


>    MOBIKE
>
> => MOBIKE has in fact not directly usable for multihoming (which was 
> not
> in its real (i.e., not the IETF) charter).
>
>    and the like.
>
> Regards
>
> Francis.Dupont@point6.net