On 25.9.2014, at 14.19, Tero Kivinen <kivi...@iki.fi> wrote:
> Markus Stenberg writes:
>>> Is there something else that’ll work as transport layer security
>>> for multicast, or should we send a request for the IETF leadership
>>> to investigate if this is something that needs to be developed? 
>> 
>> There is not that I know of. 
>> 
>> I believe msec work is somewhat outdated (based on IKEv1, and not
>> widely deployed), but security isn’t popular, and multicast isn’t
>> popular, so combining them is not usually win in IETF. (And
>> especially in seeing them implemented - still not sure how many msec
>> implementations there has been.)
> 
> There is also ikev2 version of group key management
> (draft-yeung-g-ikev2), but the draft seems to have expired some time
> ago. I still think it was supposed to be published.

Ah, interesting, did not know about that. Thanks ;)

> If homenet needs multicast support then it might be good idea to push
> that document forward. 

How does this solution work with e.g. link-local-only littleconf-TOFU setup?

To be more precise, I am not sure which node would be GCKS, and how other nodes 
would find that node. Based on cursory read of the draft, it seems to assume 
that non-GCKS nodes know GCKS address in advance.

> I do not think replacing the IKEv2 with TLS would help at all. If you
> go for application level protection then using DTLS or similar is
> better than getting ESP involved at all. 

DTLS has rather sad multicast story too (=manually keyed IPsec without IPsec 
and draft-only at the moment). Of course, whether or not we really have to 
secure multicast at all in case of HNCP is debatable. However, as a general 
solution, it is somewhat lacking, as leveraging same thing for e.g. bit more 
multicast-heavy routing protocols would not work in case of DTLS (then again, I 
am not sure if GDOI / G-IKEv2 are much better due to them being mostly 
draft-only vaporware at this point).

Cheers,

-Markus
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to