> Maybe I'm showing my ignorance here, but how does the host install this
> SA without doing ND? Use the multicast SA to bootstrap?
I gave a talk about what Markku was proposing a few IETF's ago under the
title "The Link-Shared Secret". Basically, you start with a shared-secret
that all nodes on the link use. You then derive IPsec SAs based on this.
> Other than that, this looks interesting. Why don't you write a draft on
> it?
It is interesting, until you factor in the famous Jeff Schiller problem:
Your attacker is often a legitimate user of the link.
A person who's trusted on the link can forge packets from any other
user on the link... including the router, or any other neighbors.
In a perfect world, ND would allow a host to only do host-type things, and
then only on behalf of the host itself.
You _might_ be able to separate out the router-advertising functions of ND by
using an AH auth transform that is a digital signature, but processing this
in interrupt context would be painful.
Solve the aforementioned Jeff Schiller problem, and you probably can secure
ND. If you can't, all such solutions will just limit your troublemakers to
who is allowed on the LAN.
To be fair, in some cases that's Good Enough (TM). Perhaps I should bring
back link-shared secret from the dead.
Dan
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
