> IP Security, for one. The current IPsec can be used, though
> it's pretty cumbersome due to (a) large number of similar SAs
> needed for manual keying due to destination address being a
> part of SA lookup and (b) chicken-and-egg problem for IKE.
> The problem (a) could be solved, and the result would be a
> more easily usable IPsec for securing large private networks.
> For public networks manual keying does not scale, however.
> Perhaps something can be done for (b). For instance, one
> possible, even if ugly, solution is to provide an ND-level
> message to carry IKE-like traffic between the ND
> peers until an IPsec SA can be established. Contributions
> on this space are sought -- feel free to jump in here ;-)
>
Key distribution could be done via Layer 2 AAA or using the roaming
consortia idea we had in the ABK draft. However, I think that might
require some change in IPsec policy, because I believe the policy only
allows IKE or manual keying for key distribution.
jak
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
