Hi James, After your reply, my expectations confirm more and more that this is very much of AAA and PANA issue, and much less of securing the ND. Simple intuition tells me that if AAA and PANA can help authenticate the access, then ND is subsequently secured.
If I were to work on securing ND, I would leave the key obtention behind (be it AAA, IKE/JFK/LBJ, ABK, CGA) and concentrate on how AH and ESP are applied to ND messages and see with that how to solve the threat draft. I might have a look into that, probably. "James Kempf" <[EMAIL PROTECTED]> writes: > > Threat 3.5 Bogus On-Link Prefix can be addressed by a smart legitimate > > access router sending RA's with the attacker-prefix with lifetime 0. > > A smart MN could even detect too many RA sequences > > infinity-0-infinity-0 and consider that subnet unreliable. > > Sure, but this is a more complicated solution that solves a single > threat. Yes, but depends on what complex means. Mathematical complexity, implementation complexity, society institutions complexity. > So I agree that there are some problems that ABKs solve and some > not. I think the ABKs have an important merit in that they let the system configure the address the way it wants, doesn't impose bits and bytes anywhere in the address. I still need to understand how this is done, it looks like magic to me :-) Alex -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
