[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
El 19/07/2006, a las 18:35, Ahrenholz, Jeffrey M escribió:
To throw 2-cents into this conversation, the SIDR WG seems to be
considering a global PKI, albeit for BGP routers and not end hosts.
but this seems to be quite different that what is needded for the
i mean for the shim6 protocol to work, we would need certificates that
bind the address itself with the public key, wwhile what sidr is after
is a certificate that binds prefixes announced in the global routing
table with public keys (as far as i understand, and i am not followwing
this work very closely, so please correct me if i am wrong (i know you
So even if you did have the sidr like global pki, you would still need
to deploy host certificates to all hosts and renew those and so on.
since the owner of the certificates used in sidr are the bgp players,
creating the cert chain all the way down to the hosts may involve
cosniderable deployment costs
As i understand it, the only way to make the shim6 security based on
IPSec is to assume that a global PKI is deployed, including client
certificates (i.e. not only server certificates) so that it
is possible to secure any-to-any communication.
From what i understand such global pki is not in place yet and it
doesn't looks like it will be anytime soon if ever.