[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC-PIB as mechanism for key distribution



Hello,

Man.M.Li@xxxxxxxxx wrote:

> You probably noticed that all the "key" attributes are optional. Hence, you don't have to use IPsec PIB to distribute keys.

Ok, but if IPsec PIB don't specify the keys, how can I know the keys to use?
IPsec PIB cann't reference the keys. Do I must use a external mechanism to link the key with the PIB?

> If you choose to distribute keys via IPsec PIB, you certainly need to secure the transport, i.e., COPS-PR protocol. These are discussed in the "security considerations" section.

Ok, I need to secure the transport protocol (maybe IPsec or TLS) and then it means that I need distribute keys previously.
In my opinion, I think the key distribution must be not permited in the IPsec PIB (neither as optional) and other mechanism has to be used to distribute keys (maybe other PIB or MIB).

Regards,
Félix

> Best regards
> Man Li
>
> > -----Original Message-----
> > From: owner-ipsec-policy@xxxxxxxxxxxxx
> > [mailto:owner-ipsec-policy@xxxxxxxxxxxxx]On Behalf Of ext
> > Félix J.García
> > Clemente
> > Sent: Thursday, April 15, 2004 1:15 PM
> > To: ipsec-policy@xxxxxxxx
> > Subject: IPSEC-PIB as mechanism for key distribution
> >
> >
> >
> >
> > Hello all,
> > IPSEC-PIB has several attributes to specify keys. The attribute
> > ipSecXXTransformIntegrityKey specifies the integrity key to
> > be used and
> > the attribute ipSecEspTransformCipherKey specifies the cipher
> > key to be
> > used. And the attribute ipSecIkeAssociationPresharedKey contains the
> > pre-shared key.
> > It means that IPSEC-PIB is used to distribute keys, doesn't it?.
> >
> > I have noted that the keys don't have a specific class where can be
> > defined (for example ipSecSharedSecret) and then they must be
> > specified
> > in other classes and it is not possible to reference them.
> > Even the keys are transported by PIB in plaintext. Maybe an attribute
> > similar to 'Algorithm' of the class CIM_SharedSecret may be useful to
> > protect the keys.
> > Maybe it can be interesting in a future draft. What do you think?
> >
> > Regards,
> > Félix
> >
> >
> >
> >