Jari Arkko wrote, around 30/11/07 12:53 AM:
Ric, Alper, "SAVA" as in the IETF effort? Or the specific approach that DSL networks use to guard against address spoofing? I think the latter... lets keep the SAVA arguments out of this discussion. There's a BOF in this IETF about this, and it is far too early to state anything about the end results. But so far all the designs we have talked about in that group for IPv6 have involved support for both stateless and DHCP.
Jari the "SAVA" argument is not really about "SAVA" in the IETF but the fact that DHCP Authentication uses the Source IP Spoofing protections in Access Nodes to protect the layer 2 network as well as authenticate the IP session the layer 3 edge.
DHCP authentication protects the layer 2 which can be very large in some DSL networks from unauthenticated sessions where other proposals would need some additional protocol or changes to the access nodes to secure them from malicious unauthenticated sessions.
The mechanism is that access nodes only introduce ARP entries into their APP tables they snooped from DHCP. Thus with DHCP authentication if you do not authenticate you cannot attack other services or end-devices on your layer 2.
- Ric
Jari
_______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
