El 31/07/2006, a las 1:13, Francis Dupont escribió:
In your previous mail you wrote: there is no general any-to-any mechanism to prove address ownership using IPsec which is what is provided by CGA/HBA, => I strongly disagree: we don't need such a mechanism because IPsec is based on mutual authentication which is a stronger property than what is provided by CGA/HBA.
but in order to do that you need or a shared secret or an PKI right?or do you know a any to any mechanisms for providing mutual authentication that does not requires either a pre-existent trust relationship? (i.e. preshared secret or PKI)
this is why IPSec is not a possible substitute to HBA/CGA in shim=> I have exactly the opposite conclusion: we need a proof the alternateaddress belongs to the same node, with a proper use of IPsec we havea proof the traffic (including signaling) comes from the node we believe it comes from, and than nobody can have modified it. And we can even havemore like confidentiality...
but in order to provide this you need preshared secret or PKI in all the hosts, right?
Regards, marcelo
Regards Francis.Dupont@point6.net