[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec !?, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
In your previous mail you wrote:
there is no general any-to-any mechanism to prove address ownership
using IPsec which is what is provided by CGA/HBA,
=> I strongly disagree: we don't need such a mechanism because IPsec
is based on mutual authentication which is a stronger property than
what is provided by CGA/HBA.
this is why IPSec is not a possible substitute to HBA/CGA in shim
=> I have exactly the opposite conclusion: we need a proof the alternate
address belongs to the same node, with a proper use of IPsec we have
a proof the traffic (including signaling) comes from the node we believe
it comes from, and than nobody can have modified it. And we can even have
more like confidentiality...
Regards
Francis.Dupont@point6.net