El 19/07/2006, a las 16:55, Bound, Jim escribió:
I was assuming the node regardless will use IPsec as required. Thus it really is not shime6 concern. But I do not believe no one will not deploy IPsec because of PKI that is simply not true.
i agree with thisbut the problem is that if you want to use IPSEc to secure the shim, you need to use certificates, if not the security is not acceptable.
You need to provide a secure binding between the identifer and the locators. IPSec wihtout certificates does not provides this feature. If you want to use IPSec to secure the shim6 protocol, you need the certificates hence you need the global PKI.
So in order to evaluate a solution based on IPSec for securing the shim6, you need to consider the fact that a global PKI is required for this.
Hence, the alternative solution for securing the shim at this point would be IPSec+PKI, agree?
regards, marcelo
IPsec is deployed today with PKI.
/jim-----Original Message----- From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] Sent: Wednesday, July 19, 2006 8:04 AM To: Francis Dupont Cc: shim6@psg.com; Bound, Jim; Pekka Savola; Iljitsch van Beijnum Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006 El 19/07/2006, a las 14:38, Francis Dupont escribió:I can't see where Jim proposed to base the Shim6 securityon IPsec... in message http://ops.ietf.org/lists/shim6/msg01511.html it is stated that: Suggestion is to simply embed ULIDs within the data payload with new option and secure all communications at least for now for IP layer communcatiions with IPsec encryption based on locator pair. meaning to use IPSec as an alternative to HBA security(something which is known to require the impossible and even not desirable global PKI :-)exactly Regards, marceloRegards Francis.Dupont@point6.net