[Int-area] Re: [CGA-EXT] Cga and Send extensIons (CSI) bof requested
Ana Kukec <anchie@fer.hr> Mon, 01 October 2007 13:40 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcLVc-0003WM-GF; Mon, 01 Oct 2007 09:40:28 -0400
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1IcJvk-0001Mj-R4 for int-area-confirm+ok@megatron.ietf.org; Mon, 01 Oct 2007 07:59:20 -0400
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1IcJvk-0001LR-Gy for int-area@ietf.org; Mon, 01 Oct 2007 07:59:20 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcJpM-0006KT-Gp; Mon, 01 Oct 2007 07:52:44 -0400
Received: from xaqua.tel.fer.hr ([161.53.19.25]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IcJpA-0007oW-G7; Mon, 01 Oct 2007 07:52:38 -0400
Received: by xaqua.tel.fer.hr (Postfix, from userid 20006) id 6B8159B6CA; Mon, 1 Oct 2007 13:52:09 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on xaqua.tel.fer.hr
X-Spam-Level:
X-Spam-Status: No, score=-4.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.7
Received: from [161.53.19.31] (unknown [161.53.19.31]) by xaqua.tel.fer.hr (Postfix) with ESMTP id EC3259B655; Mon, 1 Oct 2007 13:52:07 +0200 (CEST)
Message-ID: <4700DF64.4060207@fer.hr>
Date: Mon, 01 Oct 2007 13:52:04 +0200
From: Ana Kukec <anchie@fer.hr>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
References: <28F63372-A3AF-40A2-909B-82AAEB4D8319@it.uc3m.es>
In-Reply-To: <28F63372-A3AF-40A2-909B-82AAEB4D8319@it.uc3m.es>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
X-TMDA-Confirmed: Mon, 01 Oct 2007 07:59:20 -0400
X-Mailman-Approved-At: Mon, 01 Oct 2007 09:40:26 -0400
Cc: cga-ext@ietf.org, Internet Area <int-area@ietf.org>, Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
Subject: [Int-area] Re: [CGA-EXT] Cga and Send extensIons (CSI) bof requested
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
marcelo bagnulo braun wrote: > The objective of this working group is to define extensions related to > both to the SEND protocol and to CGAs. The following are charter items > for the working group: > > - Specify as required standards-track extensions to IKE and IPsec > SPD and PAD to support creation of IPSec SAs authenticated via CGA > public-private key pairs of their endpoints. Because of their > cryptographic nature, CGAs are inherently bound to the > public-private key pair that was used for their generation. This is > used in existent protocols for proving address ownership. However, > it is also possible to use the CGA cryptographic material held by > two peers to create between them a security association which is > bound to that material. The key benefit of such an approach is that > the resulting security association can be cryptographically bound > to the IP address of the endpoints without exclusive recourse to > certificates and public key infrastructure. Regarding the standards-track extensions to SPD.. I don't think that we need extensions to SPD in order to provide IKEv2 peer authentication via CGAs. We just have to define how CGA Security Policies should look like, as described in sections 4.1 and 4.2 of draft-laganier-ike-ipv6-cga-02. Contrary to SPD, we need extensions to Peer Authorization Database, in order to provide possibility for Security Gateway to store peer endpoints' CGA parameters in its PAD and to exchange those CGA Parameters with peer Security Gateway in the initial IKE exchanges. This is proposed in draft-laganier-ike-ipv6-cga-02 (marked as TBD). -- Ana Kukec, http://arwen.vels.hr/~anchie <cid:part1.02010609.05060703@fer.hr> _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] Cga and Send extensIons (CSI) bof requ… marcelo bagnulo braun
- [Int-area] Re: [CGA-EXT] Cga and Send extensIons … Wassim Haddad
- [Int-area] Re: [CGA-EXT] Cga and Send extensIons … Ana Kukec