Markku,
> This might belong to IPSEC list, but just give a concrete idea about
> it, here is a solution sketch...
>
> Securing ND with existing IPSEC (kernel) only needs to agree on
> specific SPI to use and, assuming a special key management daemon,
> which would do the following tasks
>
> - inputs "lan key from as configuration". All generated SA's use this
> (or something derived from it deterministically)
>
> - automaticly installs following SA's
>
> 1) one SA for well known multicast addresses:
>
> spi=1 dst=ff02::1 src=any protocol=any
> spi=1 dst=ff02::2 src=any protocol=any
>
> 2) one SA for each own address and solicited node address:
>
> spi=1 dst=myaddress, src=any, protocol=any
> spi=1 dst=solicitednode, src=any, protocol=any
>
Maybe I'm showing my ignorance here, but how does the host install this
SA without doing ND? Use the multicast SA to bootstrap?
Other than that, this looks interesting. Why don't you write a draft on
it?
jak
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
