In your previous mail you wrote: > - second the verification implies an expensive crypto operation > (typically a signature check) so the scheme is subject to trival DoS > attack, especially if each packet has to be checked (so or a session > key is negociated with an even more expensive and complex protocol, > or the use of CGA/KBA is very limited). This issue can be handled.
=> I don't believe without one of the two options in the parenthesis. For an example in the mipv6 space, see draft-roe-mobileip-updateauth-02.txt. => in this I-D all mechanisms build session keys (typically with a Deffie-Hellman exchange, i.e. IKE-like). The same applies also to DNS-based and AAA-based schemes as well. => infrastructure based systems don't need a bit per idea, sorry (:-). [EMAIL PROTECTED] PS: I am very unsatisfied by the result of today meeting: we are going nowhere (which is not the same thing than not moving). -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
