RE: IPSEC-PIB as mechanism for key distribution

[<Man.M.Li@xxxxxxxxx>]

You probably noticed that all the "key" attributes are optional. Hence, you don't have to use IPsec PIB to distribute keys. If you choose to distribute keys via IPsec PIB, you certainly need to secure the transport, i.e., COPS-PR protocol. These are discussed in the "security considerations" section.

Best regards
Man Li

> -----Original Message-----
> From: owner-ipsec-policy@xxxxxxxxxxxxx
> [mailto:owner-ipsec-policy@xxxxxxxxxxxxx]On Behalf Of ext 
> Félix J.García
> Clemente
> Sent: Thursday, April 15, 2004 1:15 PM
> To: ipsec-policy@xxxxxxxx
> Subject: IPSEC-PIB as mechanism for key distribution
> 
> 
> 
> 
> Hello all,
> IPSEC-PIB has several attributes to specify keys. The attribute
> ipSecXXTransformIntegrityKey specifies the integrity key to 
> be used and
> the attribute ipSecEspTransformCipherKey specifies the cipher 
> key to be
> used. And the attribute ipSecIkeAssociationPresharedKey contains the
> pre-shared key.
> It means that IPSEC-PIB is used to distribute keys, doesn't it?.
> 
> I have noted that the keys don't have a specific class where can be
> defined (for example ipSecSharedSecret) and then they must be 
> specified
> in other classes and it is not possible to reference them.
> Even the keys are transported by PIB in plaintext. Maybe an attribute
> similar to 'Algorithm' of the class CIM_SharedSecret may be useful to
> protect the keys.
> Maybe it can be interesting in a future draft. What do you think?
> 
> Regards,
> Félix
> 
> 
> 
>