>
> > Or am I missing something?
>
> Pekka,
>
> Perhaps the question was about the whole address and not just
> the interface ID. You've described how the interface ID is
> crypgraphically tied to a
> public key.
> But this doesn't per-se prevent somebody fabricating a CGA
> address using an arbitrary prefix.
>
This is the case where somebody owning a given (public key, private key
pair) establishes a binding presumably, moves off to a different link
and tries to use the same interface id. Can you describe the attack
scenarios here ? If the attacker wishes to do reflection attacks,
some other node on the old link should have the same IID which is
not very likely I guess.
> The way to avoid this for MIPv6 is to do a return routability test
> when the CGA address is verified. The RR test would ensure that the
> peer is reachable at the prefix. (And the RR test would
> essentially be done as part of the challenge to have the peer
> sign the nonce using the private
> key.)
>
Agreed.
-mohan
> Erik
>
> --------------------------------------------------------------------
> IETF IPng Working Group Mailing List
> IPng Home Page: http://playground.sun.com/ipng
> FTP archive: ftp://playground.sun.com/pub/ipng
> Direct all administrative requests to [EMAIL PROTECTED]
> --------------------------------------------------------------------
>
