Francis Dupont <[EMAIL PROTECTED]> writes: > PPS: with respect to security there's ongoing discussion on Mobile IP, > around a novel method to generate addresses (Computationally > Generated Addresses). > > => there is no reason to avoid DAD on CGAs: CGAs and RFC 3041 are > not different.
First, I find CGA (Computationally Generated Addresses) mechanisms to have valuable IP security properties and are probably exploitable in some contexts. Is it reasonable to ask two distanced MN's to verify they haven't generated same CGA Interface ID? For clarification, I was suggesting that since IPv6 as is doesn't rely on mathematical uniqueness of random bits in Interface ID's, but enforces it with DAD, then it would seem natural that CGA mechanisms don't rely on that uniqueness either and should test it somehow. If I understand CGA mechanisms correctly, there's a low probability (ok, extremely low) for CGA'ed Interface ID's to collide. Those Interface ID's are not on the same subnet, different prefixes, DAD won't find collisions. The security verification of those CGA'ed Interface ID's happens at the Correspondent Node, against attacker MN's. Again, I'm no CGA expert and as Jari and Vijay said, nothing in CGA'ed addresses stops them from being DAD'ed on the subnet. Alex > > Regards > > [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
