Alexandru Petrescu wrote: > Two things here. One is that CGAs and address ownership were born out > of very remote interactions, like in MN-CN across the whole network, > while ND is happening on a link among neighbours; as such I think the > infrastructure-less and infrastructure-based arguments apply a little > less.
True (OTOH, other things being equal configuration-less and infrastructure-less is better). > > But the modifications necessary before ESP works well enough for ND > > are pretty interesting. The basic problem we need to deal with > > manually keyed ESP is dst address as a pointer to the SA; this needs > > to change if manual keying is to be used. > > Aha, I was thinking that manual keying will create an SA similar to > the ones created by automatic keying, but I might be wrong. They can be similar, but my point was that if you use manual keying you don't want to create a million SAs, while with dynamic keying you could in theory do that. > > A third problem is that when the ND protection gets host specific - > > as it should - we need some way of indicating individual SAs. > > Should it or shouldn't it? I would say that hosts should protect from > routers and routers should protect from hosts. And hosts should > protect from hosts, but we should not look into routers protecting > from routers. Yes... I meant that it isn't sufficient for the whole network to be secured with a single key. This would be possible with a small extension of IPsec (e.g. standardized SPI value for ND protection), but wouldn't work in public LANs. Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
