[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: autoconfiguration

To: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Subject: Re: autoconfiguration
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Wed, 07 Oct 1998 09:36:10 -0700
CC: "'IPsec'" <ipsec@tis.com>
Organization: RedCreek Communications
References: <199810070038.UAA22238@istari.sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com

Michael C. Richardson wrote:

<trimmed...>

>   We have need to define a digital signature based AH. This is *not* going to
> be useful for bulk data transfers, but it does present a way to do things
> like initial config. The problem is then reduced to the problem of
> doing initial certificate enrollment and acquisition of appropriate
> certificate chains. While this isn't an easy problem, it is a problem
> that lots of people are already working on.
>   You can't solve the initial boot on the network problem in a secure
> fashion unless you simultaneously answer questions like:
>         - should you be allowed to connect here?
>         - should you get an address? (or did you turn some other guys'
>                 machine off, yanked the network card and/or copied the MAC
>                 and now are impersonating him?)
>         - if your PC gets fixed/upgraded/etc. do you risk loosing your
>         network identity?
> 

Mike St. Johns and I are working on a draft which discusses this problem
and proposes solutions. The working title is 'Secure Configuration of
IPsec-Enabled Network Devices'. I have another round of edits which I
hope to get to later this week, and then we will probably post the draft
for comment.

References:

Re: autoconfiguration

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: autoconfiguration
Next by Date: Re: Re-keying Issues Document
Prev by thread: Re: autoconfiguration
Next by thread: VPN Interoperability Workshop Closed
Index(es):
- Main
- Thread