> -----Original Message----- > From: homenet [mailto:homenet-boun...@ietf.org] On Behalf Of Markus > Stenberg > Sent: 02 March 2015 15:11 > To: Mikael Abrahamsson > Cc: homenet@ietf.org; Markus Stenberg; Margaret Wasserman; Christian > Hopps > Subject: Re: [homenet] routing protocol comparison document and hncp > > On 2.3.2015, at 15.55, Mikael Abrahamsson <swm...@swm.pp.se> wrote: > > On Mon, 2 Mar 2015, Margaret Wasserman wrote: > >> I think Markus' comments on security are also very important to consider > here, as some sort of integrated security mechanism between the routing > protocol and HNCP might be strongly desired. > > > > Yes, I agree that HNCP has gained security that currently none of the > routing protocols have, and that this is important. > > > > Then one can always discuss what kind of information could go into each > protocol after bootstrap. Perhaps what we actually need is a new bootstrap > security protocol (not only for homenet), and that this is where the > emphasis should be. > > Possibly. However, even if we had one, bootstrap protocol does not lead > easily to widely shared PSKs, and that’s what routing protocols require. > > E.g. anima bootstrap stuff is focusing only on enrolling certificates. If I > had a > certificate, I am not sure how it helps with PSK IS-IS scheme.
Well, draft-pritikin-anima-bootstrapping-keyinfra-01 describes a way to bootstrap a certificate infrastructure, zero touch. Once every device in a domain has a domain certificate, two devices can directly authenticate each other, without PSK. Then you can also authenticate a key negotiation scheme such as IKE, to negotiate a PSK which you can then use in your "normal" authentication scheme. Obviously, would be nice if protocol supported certs directly, but it's not required. I still think that the above draft is a very good way to bootstrap a certificate infrastructure, which can be leveraged in many different ways. Michael > Babel + IKE + IPsec, on the other hand, could of course run with the > certificate, but would not be link-state => hard to replicate state. > > Looking at fast adoption, perhaps OSPF would be preferable then, as it > already runs over IP so the story would be just ’take TEH BOOTSTRAPPER, > IKE, IPsec, OSPF’ and world is your oyster. No standardization required > (beyond dst-src draft by Baker, just like IS-IS). > > Cheers, > > -Markus > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
