Alexandru Petrescu wrote: > After your reply, my expectations confirm more and more that this is > very much of AAA and PANA issue, and much less of securing the ND. > Simple intuition tells me that if AAA and PANA can help authenticate > the access, then ND is subsequently secured.
Well... while I'm an AAA guy myself, I really don't wish we need to get AAA everywhere just to secure our LAN control signaling. I'd like to concetrate also on infrastructureless methods. > If I were to work on securing ND, I would leave the key obtention > behind (be it AAA, IKE/JFK/LBJ, ABK, CGA) and concentrate on how AH > and ESP are applied to ND messages and see with that how to solve the > threat draft. I might have a look into that, probably. This on the other hand is an interesting issue. We may be able to separate the keying part from the protection part, even if the keying would take place without an infrastructure as in CGA. E.g., a router could use the host's public CGA key to encrypt a session key which it sends to the host, and the host uses this key in AH/ESP to protect actual signaling. But the modifications necessary before ESP works well enough for ND are pretty interesting. The basic problem we need to deal with manually keyed ESP is dst address as a pointer to the SA; this needs to change if manual keying is to be used. Another basic problem is inability to use *any* IP-based key management protocol (including IKE) due to chicken-and-egg effect. A third problem is that when the ND protection gets host specific - as it should - we need some way of indicating individual SAs. Also, the above discussion indicates that if we are to secure ND, we need a requirements document first. It isn't clear to me whether everyone agrees that we need infrastructureless, infrastructure-based, manually keyed etc. Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
