[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC-PIB as mechanism for key distribution



> 
> > You probably noticed that all the "key" attributes are 
> optional. Hence, you don't have to use IPsec PIB to distribute keys.
> 
> Ok, but if IPsec PIB don't specify the keys, how can I know 
> the keys to use?
> IPsec PIB cann't reference the keys. Do I must use a external 
> mechanism to link the key with the PIB?

Yes.

> 
> > If you choose to distribute keys via IPsec PIB, you 
> certainly need to secure the transport, i.e., COPS-PR 
> protocol. These are discussed in the "security 
> considerations" section.
> 
> Ok, I need to secure the transport protocol (maybe IPsec or 
> TLS) and then it means that I need distribute keys previously.
> In my opinion, I think the key distribution must be not 
> permited in the IPsec PIB (neither as optional) and other 
> mechanism has to be used to distribute keys (maybe other PIB or MIB).

Many other people have different opinions than yours and that's why we have the optional feature.  

> 
> Regards,
> Félix
> 
> > Best regards
> > Man Li
> >
> > > -----Original Message-----
> > > From: owner-ipsec-policy@xxxxxxxxxxxxx
> > > [mailto:owner-ipsec-policy@xxxxxxxxxxxxx]On Behalf Of ext
> > > Félix J.García
> > > Clemente
> > > Sent: Thursday, April 15, 2004 1:15 PM
> > > To: ipsec-policy@xxxxxxxx
> > > Subject: IPSEC-PIB as mechanism for key distribution
> > >
> > >
> > >
> > >
> > > Hello all,
> > > IPSEC-PIB has several attributes to specify keys. The attribute
> > > ipSecXXTransformIntegrityKey specifies the integrity key to
> > > be used and
> > > the attribute ipSecEspTransformCipherKey specifies the cipher
> > > key to be
> > > used. And the attribute ipSecIkeAssociationPresharedKey 
> contains the
> > > pre-shared key.
> > > It means that IPSEC-PIB is used to distribute keys, doesn't it?.
> > >
> > > I have noted that the keys don't have a specific class 
> where can be
> > > defined (for example ipSecSharedSecret) and then they must be
> > > specified
> > > in other classes and it is not possible to reference them.
> > > Even the keys are transported by PIB in plaintext. Maybe 
> an attribute
> > > similar to 'Algorithm' of the class CIM_SharedSecret may 
> be useful to
> > > protect the keys.
> > > Maybe it can be interesting in a future draft. What do you think?
> > >
> > > Regards,
> > > Félix
> > >
> > >
> > >
> > >
> 
> 
>