Jari Arkko writes:
> As we point out in section 3.8 the current
> cellular networks sometimes have dynamic IP
> address changes, and therefore manually keyed IPsec
> isn't going to work as such and key management is
> needed. While there might be multiple options
> here, interoperability is a concern and hence
> I feel that we must have a mandated key management
> scheme. In the cellular host requirements draft, we
> have chosen to say that IKE is a MUST in those
> cases where we mandate IPsec. Do you disagree?
I don't know; it depends on what you're trying
to accomplish. Is there a reason that you must
choose one? I agree that dynamic addresses makes
manual keying problematic, but I'm not sure that
it follows that you need to pick one keying
scheme. Even with IKE, there's room for
interoperability issues (some might say far
too much room, but I digress).
> (In a way you could say that the cellular draft goes
> *beyond* what the current IETF MUSTs are, given
> that we mandate a full security solution in all cases,
> though at the same time we don't mandate the current
> requirement of AH and ESP in all cases.)
Well, at its base it's about what needs to be
implemented, right?
> Anyway, this is just *our* proposal on what we think
> would make sense. But the document is controlled by the
> WG; please state your proposed security MUSTs for
> IPv6 hosts, cellular or otherwise. Mike, what would you
> like to have there, for instance?
My personal feeling is that the ng working
group has the consensus about right. We need
a base level set of mechanisms for protecting
IP packets. Since this is normally kernel
level work, having a strong statement here
is useful. And while I think there's pretty good
consensus that IPsec (eg, not IKE) is a
a stable and mature, there's equally good
consensus that IKE is not. Given KINK and
JFK/IKEv2 -- not to mention how widespread
transport mode keying really gets deployed --
I'm not sure that I'd want to choose any one
at this point. I personally think that the
Kerberos based keying is well suited to
high fan out kinds of applications like
telephony, but I wouldn't claim that it is
the only way (or The Way) to approach the
problem of keying.
Mike
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
