Hi,
"T.J. Kniveton" wrote:
> Open Issues
> -----------
> SECURITY:
> The Router Solicitation must be protected by an Authentication Header.
> This is already a requirement.
Is it? Where do you find that requirement? The RA needs authentication
though.
> The Router Advertisement should/may be encrypted. If it is not, note
> that prefix information about the home network will be available for
> inspection along the path the RA travels. This security issue is the
> same as what exists in the current version.
>
> I am open for comments on this idea.
I think this is a good way. Start-up procedure is a mess right now. The
basic arguments against a special solution for bootstrapping was that
the MN-HA RS/RA mechanism is used in other places too:
1. MN sends an RS at any point in time to sync its prefix list with the
HA.
2. RA pushes an RA to the MN due to changed information in the home
network.
Can we move to non-tunneled RSes/RAs for these cases as well?
Will we open up a security hole or possible denial-of service attack by
let's say flood a HA with RSes (that don't require authentication), now
that we can send them over multiple hops?
/Mattias
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
