Question about IPsec in IPv6
Hi! I want to know if there have been made additions to the IPsec part on IPv6. Something that bugs me to Ipsec on IPv4 is that it either required some system backed authentication (Kerberos), some CA issued certificate or the worst solution being a static keyphrase. Now to my question: Does IPsec in IPv6 allow adhoc connections not requiring any certificates, rather just doing a simple key exchange (e.g. using a set of randomly generated public keys), with the simple purpose to encrypt the connection? Thanks for any infos! -mg IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED]
Re: Question about IPsec in IPv6
In your previous mail you wrote: I want to know if there have been made additions to the IPsec part on IPv6. Something that bugs me to Ipsec on IPv4 is that it either required some system backed authentication (Kerberos), some CA issued certificate or the worst solution being a static keyphrase. Now to my question: Does IPsec in IPv6 allow adhoc connections not requiring any certificates, rather just doing a simple key exchange (e.g. using a set of randomly generated public keys), with the simple purpose to encrypt the connection? = I disagree: without authentication (by a pre-shared secret, certificate/signature or public key) you can be attacked by the Man-In-The-Middle, i.e., you can get a very secure connection with a bad guy, not the intended correspondent. There are some schemes where one participant can be anonymous, but at most one (i.e., never both). Regards [EMAIL PROTECTED] PS: there is no difference between IPv4 and IPv6 in IPsec. IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED]
RE: Question about IPsec in IPv6
= I disagree: without authentication (by a pre-shared secret, certificate/signature or public key) you can be attacked by the Man-In-The-Middle, i.e., you can get a very secure connection with a bad guy, not the intended correspondent. There are some schemes where one participant can be anonymous, but at most one (i.e., never both). Is this scheme used anywhere on the net? Can I make use of it whatever time I want? E.g. the server has a cert and I dont, but the server requires IPsec, my client will respond even without cert? Well I asked that question, lets say for the case that two endusers without any certificates can build up a secure line between each other. For example an IM application could turn on IPsec without certificate. The problem is I don't see endusers buying certificates anytime soon, which might be important for pure P2P applications wanting to use the IPsec protocol, at least in my thoughts. Thanks for any info -mg IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED]
Re: Question about IPsec in IPv6
In your previous mail you wrote: = I disagree: without authentication (by a pre-shared secret, certificate/signature or public key) you can be attacked by the Man-In-The-Middle, i.e., you can get a very secure connection with a bad guy, not the intended correspondent. There are some schemes where one participant can be anonymous, but at most one (i.e., never both). Is this scheme used anywhere on the net? = yes, anywhere but not in any case. Can I make use of it whatever time I want? = no, it works only on client-server interactions where the server doesn't bother about who is the client. It is safe for the client (the server is authenticated) but not for the server (but it doesn't matter). With IKE the traditional way to do this is to enable self-signed certificates. HIP and opportunistic encryption have this style of anonymous initiators (and both use DNSSEC for strong authentication). E.g. the server has a cert and I dont, but the server requires IPsec, my client will respond even without cert? = if the server requires IPsec only because of its service and gives the same right to any client then a self-signed cert can be a good solution. SSL/TLS is commonly used with this kind of asymmetrical authentication. Well I asked that question, lets say for the case that two endusers without any certificates can build up a secure line between each other. = they can't. For example an IM application could turn on IPsec without certificate. The problem is I don't see endusers buying certificates anytime soon, which might be important for pure P2P applications wanting to use the IPsec protocol, at least in my thoughts. = not only they have to use certificates co, but a global PKI is needed... Regards [EMAIL PROTECTED] IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED]
