Re: [CGA-EXT] Cga and Send extensIons (CSI) bof requested
"James Kempf" <kempf@docomolabs-usa.com> Mon, 01 October 2007 17:27 UTC
Return-path: <cga-ext-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcP2u-0008GF-Mc; Mon, 01 Oct 2007 13:27:04 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcP2t-0008Fv-Nt for cga-ext@ietf.org; Mon, 01 Oct 2007 13:27:03 -0400
Received: from key1.docomolabs-usa.com ([216.98.102.225] helo=fridge.docomolabs-usa.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IcP2t-0008Mo-5t for cga-ext@ietf.org; Mon, 01 Oct 2007 13:27:03 -0400
Message-ID: <029d01c80450$45623d20$576115ac@dcml.docomolabsusa.com>
From: James Kempf <kempf@docomolabs-usa.com>
To: Ana Kukec <anchie@fer.hr>, marcelo bagnulo braun <marcelo@it.uc3m.es>
References: <28F63372-A3AF-40A2-909B-82AAEB4D8319@it.uc3m.es> <4700E302.3030603@fer.hr>
Subject: Re: [CGA-EXT] Cga and Send extensIons (CSI) bof requested
Date: Mon, 01 Oct 2007 10:26:58 -0700
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -97.2 (---------------------------------------------------)
X-Scan-Signature: 02ec665d00de228c50c93ed6b5e4fc1a
Cc: cga-ext@ietf.org, Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Errors-To: cga-ext-bounces@ietf.org
The PAD specification needs some extensions in any event. RFC 4301 doesn't describe what the PAD entry should look like for EAP authentication of the client in IKEv2. I exchanged some private email with Charlie Kaufman and Bill Kent about this a while back. jak ----- Original Message ----- From: "Ana Kukec" <anchie@fer.hr> To: "marcelo bagnulo braun" <marcelo@it.uc3m.es> Cc: <cga-ext@ietf.org>; "Gabriel Montenegro" <Gabriel.Montenegro@microsoft.com> Sent: Monday, October 01, 2007 5:07 AM Subject: Re: [CGA-EXT] Cga and Send extensIons (CSI) bof requested marcelo bagnulo braun wrote: > The objective of this working group is to define extensions related to > both to the SEND protocol and to CGAs. The following are charter items > for the working group: > > - Specify as required standards-track extensions to IKE and IPsec > SPD and PAD to support creation of IPSec SAs authenticated via CGA > public-private key pairs of their endpoints. Because of their > cryptographic nature, CGAs are inherently bound to the > public-private key pair that was used for their generation. This is > used in existent protocols for proving address ownership. However, > it is also possible to use the CGA cryptographic material held by > two peers to create between them a security association which is > bound to that material. The key benefit of such an approach is that > the resulting security association can be cryptographically bound > to the IP address of the endpoints without exclusive recourse to > certificates and public key infrastructure. Regarding the standards-track extensions to SPD.. I don't think that we need extensions to SPD in order to provide IKEv2 peer authentication via CGAs. We just have to define how CGA Security Policies should look like, as described in sections 4.1 and 4.2 of draft-laganier-ike-ipv6-cga-02. Contrary to SPD, we need extensions to Peer Authorization Database, in order to provide possibility for Security Gateway to store peer endpoints' CGA parameters in its PAD and to exchange those CGA Parameters with peer Security Gateway in the initial IKE exchanges. This is proposed in draft-laganier-ike-ipv6-cga-02 (marked as TBD). -- Ana Kukec, http://arwen.vels.hr/~anchie _______________________________________________ CGA-EXT mailing list CGA-EXT@ietf.org https://www1.ietf.org/mailman/listinfo/cga-ext _______________________________________________ CGA-EXT mailing list CGA-EXT@ietf.org https://www1.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] Cga and Send extensIons (CSI) bof reque… marcelo bagnulo braun
- Re: [CGA-EXT] Cga and Send extensIons (CSI) bof r… Wassim Haddad
- Re: [CGA-EXT] Cga and Send extensIons (CSI) bof r… Ana Kukec
- Re: [CGA-EXT] Cga and Send extensIons (CSI) bof r… James Kempf