Tony,
I agree with you that the "bit method" is not a good method.
On the effective value of the method I have to *disagree*, though.
There is, however, a need to divide the IP addresses into two
sets:
1. Addresses for which CGA (or something similar) is *required*.
2. Addresses for which CGA (or somethign similar) is not used
or is optional.
The reason for this is the "bidding down" attack.
> The fundemental decision comes down to; does the MN generate a CGA, and
> send a PK to the CN, or not. If it does the CN has what it needs to
> verify the IID, and if it doesn't then the receiver might waste a few
> cycles deciding that the IID is not based on a PK. The action the
> receiver takes at that point will be exactly the same as if it had seen
> the proposed bit cleared. THE BIT PROVIDES NO VALUE TO THIS PROCESS.
Here I have to *strongly* disagree.
The "bit" is one method for providing protection against the
bidding down attack. It effectively creates two IP address spaces,
those for which the receiver *requires* CGA, and those for which it
does not.
If we do *not* do this distinction, a Man-in-the-Middle can claim,
for *any* IP address, that CGA (or something similar) is not used.
That reduces the security of all addresses to the same base line,
effectively creating a situation where CGA (or similar) does not
provide any additional value at all. Ergo, *something* that divides
the IP address set into two distinct sets *is* needed, or otherwise
CGA and related methods bring no additional value.
If everybody agrees that CGA (and any security that is *not* based
on an external infrastructure but on "intrinsic cryptography")
is a bad idea, then fine with me. Let's forget this discussion.
But then we are effectively saying that zero-configuration security
is a bad idea and we don't want it.
Thus, this all is really about zero-configuration security. Such
security, by nature, is never "strong" by the strict definition of
strong, but it can be *much* stronger than the current no-security
situation. Basically, such security can provide quite a lot of
defence against various DoS attacks.
This two-address-space thing is only required for those recipients
that support both the current nodes with no understanding about
zero-conf security and the future nodes that do care about zero-conf
security. As I noted before, it requires that the initiator commits
a priori either to the "weak" method or the "strong" method.
The details differ, quite a lot in fact, depending on whether
we speak about MIPv6 or something else, e.g. secure Neighbor Discovery.
But the same need: dividing the address space into two distinct sets,
is there. Or at least that is my current understanding. Maybe I am
wrong.
Personally, I do not believe that any bold statements help here.
At least to me, this whole zero-conf security business is so new
that at least I need to have very humble attitude here. I learn
new issues all the time. On the other hand, IMHO we really want
to go towards zero-conf security. And if we do, we need some kind
of transition mechanism. Dividing the IPv6 address space seems to
serve as an important piece of such a transition mechanisms.
Of course, there are different ways of dividing the IPv6 address
space. If everybody thinks that using a bit in the IID is a bad
idea, then maybe we should consider distinct routing prefixes for
mobile hosts, and distinct link local addresses for secure ND.
--Pekka
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
