[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC-PIB as mechanism for key distribution

To: <fgarcia@xxxxxxxxx>
Subject: RE: IPSEC-PIB as mechanism for key distribution
From: <Man.M.Li@xxxxxxxxx>
Date: Fri, 16 Apr 2004 10:40:15 -0400
Cc: <ipsec-policy@xxxxxxxx>
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx
Thread-index: AcQjjt8Kw3SVROjUSl+UnE5gbrvELwAMXSdA
Thread-topic: IPSEC-PIB as mechanism for key distribution

> 
> > You probably noticed that all the "key" attributes are 
> optional. Hence, you don't have to use IPsec PIB to distribute keys.
> 
> Ok, but if IPsec PIB don't specify the keys, how can I know 
> the keys to use?
> IPsec PIB cann't reference the keys. Do I must use a external 
> mechanism to link the key with the PIB?

Yes.

> 
> > If you choose to distribute keys via IPsec PIB, you 
> certainly need to secure the transport, i.e., COPS-PR 
> protocol. These are discussed in the "security 
> considerations" section.
> 
> Ok, I need to secure the transport protocol (maybe IPsec or 
> TLS) and then it means that I need distribute keys previously.
> In my opinion, I think the key distribution must be not 
> permited in the IPsec PIB (neither as optional) and other 
> mechanism has to be used to distribute keys (maybe other PIB or MIB).

Many other people have different opinions than yours and that's why we have the optional feature.  

> 
> Regards,
> Félix
> 
> > Best regards
> > Man Li
> >
> > > -----Original Message-----
> > > From: owner-ipsec-policy@xxxxxxxxxxxxx
> > > [mailto:owner-ipsec-policy@xxxxxxxxxxxxx]On Behalf Of ext
> > > Félix J.García
> > > Clemente
> > > Sent: Thursday, April 15, 2004 1:15 PM
> > > To: ipsec-policy@xxxxxxxx
> > > Subject: IPSEC-PIB as mechanism for key distribution
> > >
> > >
> > >
> > >
> > > Hello all,
> > > IPSEC-PIB has several attributes to specify keys. The attribute
> > > ipSecXXTransformIntegrityKey specifies the integrity key to
> > > be used and
> > > the attribute ipSecEspTransformCipherKey specifies the cipher
> > > key to be
> > > used. And the attribute ipSecIkeAssociationPresharedKey 
> contains the
> > > pre-shared key.
> > > It means that IPSEC-PIB is used to distribute keys, doesn't it?.
> > >
> > > I have noted that the keys don't have a specific class 
> where can be
> > > defined (for example ipSecSharedSecret) and then they must be
> > > specified
> > > in other classes and it is not possible to reference them.
> > > Even the keys are transported by PIB in plaintext. Maybe 
> an attribute
> > > similar to 'Algorithm' of the class CIM_SharedSecret may 
> be useful to
> > > protect the keys.
> > > Maybe it can be interesting in a future draft. What do you think?
> > >
> > > Regards,
> > > Félix
> > >
> > >
> > >
> > >
> 
> 
>

Prev by Date: Re: ipSecIfCapsTable not many attributes
Next by Date: work on ipsec APIREQ
Previous by thread: Re: IPSEC-PIB as mechanism for key distribution
Next by thread: work on ipsec APIREQ
Index(es):
- Date
- Thread