[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
El 19/07/2006, a las 16:55, Bound, Jim escribió:
I was assuming the node regardless will use IPsec as required. Thus
it really is not shime6 concern. But I do not believe no one will not
deploy IPsec because of PKI that is simply not true.
i agree with this
but the problem is that if you want to use IPSEc to secure the shim,
you need to use certificates, if not the security is not acceptable.
You need to provide a secure binding between the identifer and the
locators. IPSec wihtout certificates does not provides this feature. If
you want to use IPSec to secure the shim6 protocol, you need the
certificates hence you need the global PKI.
So in order to evaluate a solution based on IPSec for securing the
shim6, you need to consider the fact that a global PKI is required for
Hence, the alternative solution for securing the shim at this point
would be IPSec+PKI, agree?
IPsec is deployed today with PKI.
From: marcelo bagnulo braun [mailto:email@example.com]
Sent: Wednesday, July 19, 2006 8:04 AM
To: Francis Dupont
Cc: firstname.lastname@example.org; Bound, Jim; Pekka Savola; Iljitsch van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
El 19/07/2006, a las 14:38, Francis Dupont escribió:
I can't see where Jim proposed to base the Shim6 security
in message http://ops.ietf.org/lists/shim6/msg01511.html
it is stated that:
Suggestion is to simply embed ULIDs within the data payload
with new option and secure all communications at least for
now for IP layer communcatiions with IPsec encryption based
on locator pair.
meaning to use IPSec as an alternative to HBA security
(something which is known to require the impossible and even not
desirable global PKI :-)