Re: [CGA-EXT] Cga and Send extensIons (CSI) bof requested
"James Kempf" <kempf@docomolabs-usa.com> Mon, 01 October 2007 17:27 UTC
Return-path: <cga-ext-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcP2u-0008GF-Mc; Mon, 01 Oct 2007 13:27:04 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcP2t-0008Fv-Nt for cga-ext@ietf.org; Mon, 01 Oct 2007 13:27:03 -0400
Received: from key1.docomolabs-usa.com ([216.98.102.225] helo=fridge.docomolabs-usa.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IcP2t-0008Mo-5t for cga-ext@ietf.org; Mon, 01 Oct 2007 13:27:03 -0400
Message-ID: <029d01c80450$45623d20$576115ac@dcml.docomolabsusa.com>
From: James Kempf <kempf@docomolabs-usa.com>
To: Ana Kukec <anchie@fer.hr>, marcelo bagnulo braun <marcelo@it.uc3m.es>
References: <28F63372-A3AF-40A2-909B-82AAEB4D8319@it.uc3m.es> <4700E302.3030603@fer.hr>
Subject: Re: [CGA-EXT] Cga and Send extensIons (CSI) bof requested
Date: Mon, 01 Oct 2007 10:26:58 -0700
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -97.2 (---------------------------------------------------)
X-Scan-Signature: 02ec665d00de228c50c93ed6b5e4fc1a
Cc: cga-ext@ietf.org, Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Errors-To: cga-ext-bounces@ietf.org
The PAD specification needs some extensions in any event. RFC 4301 doesn't
describe what the PAD entry should look like for EAP authentication of the
client in IKEv2. I exchanged some private email with Charlie Kaufman and
Bill Kent about this a while back.
jak
----- Original Message -----
From: "Ana Kukec" <anchie@fer.hr>
To: "marcelo bagnulo braun" <marcelo@it.uc3m.es>
Cc: <cga-ext@ietf.org>; "Gabriel Montenegro"
<Gabriel.Montenegro@microsoft.com>
Sent: Monday, October 01, 2007 5:07 AM
Subject: Re: [CGA-EXT] Cga and Send extensIons (CSI) bof requested
marcelo bagnulo braun wrote:
> The objective of this working group is to define extensions related to
> both to the SEND protocol and to CGAs. The following are charter items
> for the working group:
>
> - Specify as required standards-track extensions to IKE and IPsec
> SPD and PAD to support creation of IPSec SAs authenticated via CGA
> public-private key pairs of their endpoints. Because of their
> cryptographic nature, CGAs are inherently bound to the
> public-private key pair that was used for their generation. This is
> used in existent protocols for proving address ownership. However,
> it is also possible to use the CGA cryptographic material held by
> two peers to create between them a security association which is
> bound to that material. The key benefit of such an approach is that
> the resulting security association can be cryptographically bound
> to the IP address of the endpoints without exclusive recourse to
> certificates and public key infrastructure.
Regarding the standards-track extensions to SPD.. I don't think that we
need extensions to
SPD in order to provide IKEv2 peer authentication via CGAs. We just have
to define how CGA
Security Policies should look like, as described in sections 4.1 and
4.2 of
draft-laganier-ike-ipv6-cga-02.
Contrary to SPD, we need extensions to Peer Authorization Database, in
order to provide
possibility for Security Gateway to store peer endpoints' CGA parameters
in its PAD and to
exchange those CGA Parameters with peer Security Gateway in the initial
IKE exchanges.
This is proposed in draft-laganier-ike-ipv6-cga-02 (marked as TBD).
--
Ana Kukec,
http://arwen.vels.hr/~anchie
_______________________________________________
CGA-EXT mailing list
CGA-EXT@ietf.org
https://www1.ietf.org/mailman/listinfo/cga-ext
_______________________________________________
CGA-EXT mailing list
CGA-EXT@ietf.org
https://www1.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] Cga and Send extensIons (CSI) bof reque… marcelo bagnulo braun
- Re: [CGA-EXT] Cga and Send extensIons (CSI) bof r… Wassim Haddad
- Re: [CGA-EXT] Cga and Send extensIons (CSI) bof r… Ana Kukec
- Re: [CGA-EXT] Cga and Send extensIons (CSI) bof r… James Kempf