In message <003601c20f81$2be0b620$1e6015ac@T23KEMPF>, "James Kempf" writes:
>> IP Security, for one. The current IPsec can be used, though
>> it's pretty cumbersome due to (a) large number of similar SAs
>> needed for manual keying due to destination address being a
>> part of SA lookup and (b) chicken-and-egg problem for IKE.
>> The problem (a) could be solved, and the result would be a
>> more easily usable IPsec for securing large private networks.
>> For public networks manual keying does not scale, however.
>> Perhaps something can be done for (b). For instance, one
>> possible, even if ugly, solution is to provide an ND-level
>> message to carry IKE-like traffic between the ND
>> peers until an IPsec SA can be established. Contributions
>> on this space are sought -- feel free to jump in here ;-)
>>
>
>Key distribution could be done via Layer 2 AAA or using the roaming
>consortia idea we had in the ABK draft. However, I think that might
>require some change in IPsec policy, because I believe the policy only
>allows IKE or manual keying for key distribution.
That's not correct. In fact, there's another working group, KINK,
whose goal is Kerberos key management for IPsec.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
