In message <002f01c210af$df9ec240$246015ac@T23KEMPF>, "James Kempf" writes:
>Hi Steve,
>
>> >Key distribution could be done via Layer 2 AAA or using the roaming
>> >consortia idea we had in the ABK draft. However, I think that might
>> >require some change in IPsec policy, because I believe the policy
>only
>> >allows IKE or manual keying for key distribution.
>>
>> That's not correct. In fact, there's another working group, KINK,
>> whose goal is Kerberos key management for IPsec.
>>
>
>Thanx for the correction.
>
>So is it the case then that there would be no change in IPsec policy
>required for doing AAA-based or roaming consortia-based key management?
>Is so, then perhaps this problem is fairly straightforward to solve.
Well, as straight-forward as any key management issue...
But the word "policy" is important; there's a lot more to setting up an
IPsec than key exchange. Deciding exactly what to encrypt and how has
to be negotiated, imposed, or otherwise agreed-upon.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
