Linda Dunbar <[email protected]> wrote: >> Could you share your recommendation on the best path forward? Should we >> consider AD sponsorship, pursue adoption in IPsecme, or take another >> route?
> 1. Running Code.
Linda> HMAC is already widely deployed in IPsec and other protocols; our
Linda> approach simply applies the same existing HMAC functionality more
Linda> selectively, so it is a subset of what current implementations
Linda> already support.
If IPsec was as simple as asserting that des.c exists on a system, then I
might agree. But, it's not like that. Key management is non-trivial.
> 2. As for rough consensus: Depends upon who is going to implement.
> It seems that you need Azure, Google, AWS to implement in order to deploy.
Linda> The mechanism is not tied to any specific cloud provider; it
Linda> relies on standard HMAC functions already supported in existing
Linda> implementations, so deployment is not dependent on Azure, Google,
Linda> or AWS.
So, I can just start using it, and the various cloud providers will
automatically be able to validate this "standard HMAC functions"?
Do you even need an RFC in that case?
Linda> The overall HMAC approach is described in
Linda> https://datatracker.ietf.org/doc/draft-ietf-rtgwg-multisegment-sdwan/
Linda> , co-authored by Google and Oracle Cloud, while the current draft
Linda> focuses on the key management details that require review and
Linda> endorsement from IPsec WG experts. For this reason, we are seeking
Linda> either Security AD sponsorship or adoption in the IPsecme WG.
I looked through that document, and it seems that it's all there, including
the statement that I recalled:
This mechanism is scoped to communication between SD-WAN CPEs
and Cloud GWs, with the shared key provisioned through a
secure channel.
and since this secure channel isn't IKEv2, and this isn't IPsec ESP (its a
new TLV for GENEVE), this WG really can't help you.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
