On Tue, Jul 27, 2010 at 10:07:07AM +0300, Alper Yegin wrote:
> One other thing...
>
> We should also understand how the proposed solution compares to using
> IPsec-based security, which can get bootstrapped using EAP/IKEv2.
IPsec lacks the APIs needed to make solid use of it for end-to-end
security purposes. See RFC5660 for the beginnings of an IPsec API. See
also RFCs 5386 and 5056.
Ways to use IPsec for end-to-end security:
1) Use some API to key the SAs you need by using IKEv2 carry the
EAP/SAML goo needed to authenticate the user<->rp and key the SAs.
2) Use BTNS [RFC5386] + connection latching [RFC5660] + channel binding
of application-layer authentication to the IPsec channel.
3) ??
There's a lot of reasons that I don't think (1) is likely. But (2) has
hardly been implemented either (and there's still a bit of missing
specification).
IMO: using IPsec for Moonshot is unrealistic. It'd be nice if it were
though!
Nico
--
|