Hi Daniel, On Tue, 6 Mar 2007, Daniel Park wrote:
> I am digging SeND relevant text from the security-analysis draft: > http://daniel.vsix.net/ietf/6lowpan/draft-daniel-6lowpan-security-analysis-0 > 2.txt > > if NDP (Neighbor Discovery Protocol) is applied to 6lowpan, SeND > (Secure Neighbor Discovery) should be considered to provide security > in conjunction with neighbor discovery protocol. So far, CGA > (Cryptographically Generated Addresses) [RFC3972] and SeND options > [RFC3971] are newly designed by IETF and it works well over existing > IP networks. However, CGA seems very complex to be applied to > 6lowpan networks. => Agree. That's why it needs to be replaced with a lighter but at least equally (if not better!) efficient mechanism and that's what OptiSEND aims to provide. > Furthermore, SeND options requires huge additional > options (i.e., CGA option, RSA Signature option, Timestamp and Nonce > option and etc.) which increase the packet size accordingly. Thus > it is doubtful if Secure Neighbor Discovery protocol could be > directly applicable to 6lowpan networks without any optimization. => Agree. > We need further in-depth discussion here. Are you thinking > SeND can be applied for 6lowpan networks ? How much fatting > down SeND itself? It seems interesting issue but also really > difficult aspect at the same time from the security point of view. => In few words (but more work is of course still needed), OptiSEND consists on using CGA *only* at the beginning (i.e., attachment). The CGA enables to derive a shared secret between the node and the AR, which will be used to authenticate all ND messages (i.e., which also means that all ND messages will go via the AR). One-way hash chain are suggested to authenticate multicast Router Advertisement messages... > Anyhow, I will go through your draft and get back to you with > more details soon. => Thanks a lot! Comments highly appreciated. Regards, Wassim H. _______________________________________________ 6lowpan mailing list [email protected] https://www1.ietf.org/mailman/listinfo/6lowpan
