This thread is ending, so I will limit further distribution, explicitly removing libtech.
----- Forwarded message from Jim Small <jim.sm...@cdw.com> ----- Date: Tue, 11 Jun 2013 04:27:33 +0000 From: Jim Small <jim.sm...@cdw.com> To: IPv6 Hackers Mailing List <ipv6hack...@lists.si6networks.com> Subject: Re: [ipv6hackers] opportunistic encryption in IPv6 Reply-To: IPv6 Hackers Mailing List <ipv6hack...@lists.si6networks.com> Hi Mark, > >> > The fundamental challenge for encryption is key distribution and > >> management: > >> > * How do I authenticate the intended recipient(s)? > >> > * How do I distribute a key without letting anyone except the > >> intended recipient(s) get it? > >> > >> DH pretty well solves this, no? > > > > Yes and no. DH is a good answer, but IKE/IPsec still requires > > pre-shared keys or RSA key pairs to start with. > > Don't think so anymore. > > "Better-Than-Nothing Security: An Unauthenticated Mode of IPsec" > http://tools.ietf.org/html/rfc5386 Thanks - I was not aware of that. So BTNS is interesting - but it doesn't solve the above problems. Per the RFC, BTNS doesn't authenticate peers. It would seem that secure key distribution (maintain confidentiality, integrity, and authentication) remains a vexing problem. Here's an interesting question more relevant to the list and the paper though - are IPv6 CGAs useful? It seems like SeND is dead. But does anyone on the list think that CGAs could provide a useful competitive advantage for IPv6 over IPv4? Are these a useful building block? One thing I wonder about is a 64 bit hash is pretty small - I wonder if that is sufficiently complex to provide security for the coming decade+? PKI CAs using SCEP for enrollment/management work pretty well. If you could get a key pair from DHCP or as a function of using a directory service, use it to generate a CGA, and then use that just for authentication it would already be fantastic. Just being confident that an address is authentic and not spoofed is a huge improvement over the current state for Internet security. Thoughts? --Jim _______________________________________________ Ipv6hackers mailing list ipv6hack...@lists.si6networks.com http://lists.si6networks.com/listinfo/ipv6hackers ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech