> > > Maybe I'm showing my ignorance here, but how does the > host install > this > > > SA without doing ND? Use the multicast SA to bootstrap? > > > > The "special ND key manager" generates the keys and > installs the SA's > > directly. It does not communicate with other hosts at > all. Of course, > > the key generation algorithm and SPI assignment logic > must be the same > > on each host (this is what would need and RFC to get an > agreement). > > > > As far as user is concerned, this would be no different than from > > configuring the "password" to the WLAN card of each host > that wants to > > participate. Only, with IPSEC the crypto would be much stronger. > > > > We could leverge the roaming consortium or L2 AAA for this perhaps? > Getting the user involved is not such a good option, as > this has nothing > at all to do with anything the user might be concerned about. >
James, I haven't read your draft yet, but regarding the AAA discussions, I prefer an infrastructureless solution, it's easy to deploy, more reliable, and all the other nice benefits of e2e are preserved. Since most of the ND security issues are about preventing address spoofing, I think CGAs would be a perfect fit for this. Hesham -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
