El 31/07/2006, a las 15:07, Francis Dupont escribió:
In your previous mail you wrote:there is no general any-to-any mechanism to prove address ownership using IPsec which is what is provided by CGA/HBA, => I strongly disagree: we don't need such a mechanism because IPsec is based on mutual authentication which is a stronger property than what is provided by CGA/HBA.but in order to do that you need or a shared secret or an PKI right? => yes but this is not the subject of my answer: you argued IPsec doesn't provide the right service, I argued it provides it and perhaps (surely in fact) a lot of other services. The way IPsec can (cannot in fact) be used is another topics.
it seems we are in fact discussing different topicsimho the only relevant topic of this whole discussions are not the theoretical capabilities of different protocols, but possible alternative security mechanisms for the shim6 protocol (it is not that other discussion are not interesting, only that at this point in the wg what we need to understand is if we have viable alternatives for CGA/HBA in the shim6 protocol)
so, saying that IPSec provides much more benefits than HBA/CGA but that cannot be used because they rely in an infrastructure that is impossiible to deploy in a reasonable time frame is as good than to say that IPSec is not a viable alternative, which imho should be the conclusion from this exchange, would you agree with that?
regards, marcelo
Regards Francis.Dupont@point6.net