[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

I am trying to understand what we are debating:

a) The assumption of pre-established shared secret for IKE between ARs is not practical?
You should not go through a burden of shared secret configuration, and should use certificates?

or 

b) IKE is not practical? and some other key exchange/ SA management method must be used.

Answer to a) The way I see it, doing IKE just in time for CTP is not practical, since the round trip delays involved in IKE defeats the purpose of CTP for enhancing the handover in the first place. IF you decide on IKE, it has to be done way before the handover and between each AR-pair. It does not matter whether you are using shared secrets or certificates, you are not saving any round trips. You just have less administrative burden with certificates, but more investment requirement for the PKI that you have to put in place.

Answer to b) This is a completely separate issues. Then you have to see whether you want to use IPsec or something else like TLS (which means setting up TCP between AR, and we don't want that) or some other security method. When you decide IPsec, then you need to find an implementation that does IPsec without IKE (not sure how common that is).

>From the discussions I have seen, it is not clear what we are debating?

Regards,

Madjid



-----Original Message-----
From: seamoby-bounces at ietf.org [<a  href="mailto:seamoby-bounces";>mailto:seamoby-bounces</a> at ietf.org]On
Behalf Of James Kempf
Sent: Friday, July 16, 2004 5:52 PM
To: rajeev at iprg.nokia.com; Vijay Devarapalli
Cc: seamoby at ietf.org
Subject: Re: [Seamoby] Status of Seamoby drafts


I think that if each router shares a symmetric security association with
each other router, secured by a shared key, and there are n routers, the
total number of keys is sum i over n-1 to 0 ( i ). 5 routers require 4 + 3 +
2 +1 keys, 3 routers require 2 + 1 keys, etc. I agree that it is a lot less
than n(n-1), I don't know where he got that number. I think the point he is
trying to make is that a symmetric keying scheme would result in a
configuration problem for a large network.

But my response to him is that it isn't a problem for this document to
solve, at least, not yet. I don't think we need to engage him on the
accuracy of his estimate.

            jak


----- Original Message ----- 
From: &quot;Rajeev Koodli&quot; &lt;rajeev at iprg.nokia.com&gt;
To: &quot;Vijay Devarapalli&quot; &lt;vijayd at iprg.nokia.com&gt;
Cc: &quot;James Kempf&quot; &lt;kempf at docomolabs-usa.com&gt;; &lt;seamoby at ietf.org&gt;
Sent: Friday, July 16, 2004 3:23 PM
Subject: Re: [Seamoby] Status of Seamoby drafts


&gt;
&gt; Vijay, Jim,
&gt;
&gt; Vijay Devarapalli wrote:
&gt;
&gt; &gt; &gt; Since context transfer security is an n by n problem, establishing the
SAs
&gt; &gt; &gt; to protect inter-router transfers is not an easy thing.  For this
reason one
&gt; &gt; &gt; might conclude that pre-shared keys are difficult, since n(n-1) of
them
&gt; &gt; &gt; would be necessary.  On the other hand, is it being suggested that
each
&gt; &gt; &gt; router needs to be provisioned with a certificate? On reading the
draft it
&gt; &gt; &gt; isn't clear what's being recommended (or even considered).
&gt; &gt;
&gt;
&gt; I could not parse the &quot;n by n&quot; problem. Any pointers ?
&gt; Why is the order higher than pairwise SA between routers, which might
&gt; already exist ?
&gt;
&gt; -Rajeev
&gt;
&gt;
&gt; &gt;
&gt; &gt; this comment is valid. but since we assume the access routers are
&gt; &gt; part of the same administrative domain, they are provisioned with
&gt; &gt; the required certificates to run IKE. (?)
&gt; &gt;
&gt; &gt; Vijay
&gt; &gt;
&gt; &gt; _______________________________________________
&gt; &gt; Seamoby mailing list
&gt; &gt; Seamoby at ietf.org
&gt; &gt; <a  href="https://www1.ietf.org/mailman/listinfo/seamoby";>https://www1.ietf.org/mailman/listinfo/seamoby</a>
&gt;
&gt;



_______________________________________________
Seamoby mailing list
Seamoby at ietf.org
<a  href="https://www1.ietf.org/mailman/listinfo/seamoby";>https://www1.ietf.org/mailman/listinfo/seamoby</a>

_______________________________________________
Seamoby mailing list
Seamoby at ietf.org
<a  href="https://www1.ietf.org/mailman/listinfo/seamoby";>https://www1.ietf.org/mailman/listinfo/seamoby</a>



</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="02761" href="msg02761.html">Re: [Seamoby] Status of Seamoby drafts</a></strong>
<ul><li><em>From:</em> James Kempf</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg02758.html">Re: [Seamoby] Status of Seamoby drafts</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg02760.html">Re: [Seamoby] Status of Seamoby drafts</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg02751.html">Re: [Seamoby] Status of Seamoby drafts</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg02761.html">Re: [Seamoby] Status of Seamoby drafts</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#02759"><strong>Date</strong></a></li>
<li><a href="threads.html#02759"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>