marcelo bagnulo braun wrote:
The objective of this working group is to define extensions related to
both to the SEND protocol and to CGAs. The following are charter items
for the working group:
- Specify as required standards-track extensions to IKE and IPsec
SPD and PAD to support creation of IPSec SAs authenticated via CGA
public-private key pairs of their endpoints. Because of their
cryptographic nature, CGAs are inherently bound to the
public-private key pair that was used for their generation. This is
used in existent protocols for proving address ownership. However,
it is also possible to use the CGA cryptographic material held by
two peers to create between them a security association which is
bound to that material. The key benefit of such an approach is that
the resulting security association can be cryptographically bound
to the IP address of the endpoints without exclusive recourse to
certificates and public key infrastructure.
Regarding the standards-track extensions to SPD.. I don't think that we
need extensions to
SPD in order to provide IKEv2 peer authentication via CGAs. We just have
to define how CGA
Security Policies should look like, as described in sections 4.1 and
4.2 of
draft-laganier-ike-ipv6-cga-02.
Contrary to SPD, we need extensions to Peer Authorization Database, in
order to provide
possibility for Security Gateway to store peer endpoints' CGA parameters
in its PAD and to
exchange those CGA Parameters with peer Security Gateway in the initial
IKE exchanges.
This is proposed in draft-laganier-ike-ipv6-cga-02 (marked as TBD).
--
Ana Kukec,
http://arwen.vels.hr/~anchie <cid:[email protected]>
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
