At 4:39 PM +0800 1/29/12, zong.zaif...@zte.com.cn wrote:
Hi Stephen, Tricci:
Sorry that I didn't respond this email on time due to the chinese
spring festival. I would like to thank Stephen first for reviewing
the draft and giving me your suggestions.
no problem. Happy New Year.
From reading Stephen's email, if my understanding is correct, you
assumed that SeGW will pass some information to the core network in
order that the core network can verify the "notarized" FAP
information? And you think that the information exchange betwen SeGW
and the core network is a big change to IKE, is this correct
understanding of your email?
not quite. I was wrong to suggest that the SecGW sent the signed data
directly to the core network. The data that the SecGW signs is
presented by the FAP to the core network. My principle concern is
that it is inappropriate to use an
IKE payload to transport data to be signed, and then the signed data,
when the consumer of this data is not IPsec. IKE payloads are used to
convey data needed to create and manage SAs, including key material,
data for authentication, etc. This signed data appears to be for
authorization decisions effected by some element of the core network,
outside of the IPsec SA itself.
I understand that this configuration based assumption may have some
limits, I think that to generate a cert by the SeGW and send it to
the FAP and then from the FAP to the core network is a good
implementation option. Perhaps I should make the CP flexible enough
to adapt to all the implementation options. If you have any good
idea on how the CP should be designed, could you kindly give me your
suggestion?
I don't want to suggest design options for you, as I am not familiar with
the environment in which you are working. Also, lots of flexibility
may not be a good ideas in a secruity context. I'm merely suggesting
that using IKE payloads seems inappropriate for what I believe you
are trying to do, based on reading one very brief document.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
