Bill Sommerfeld wrote:
> Using AH/ESP to protect ND works fine once the SA's exist. > > However, there's a chicken & egg problem if you want to use IKE, and > manually configuring N*(N-1) SA's across N machines on the link is not > deployable. Actually, it's worse. ND uses e.g. the solicited node multicast address and the unicast address -- even if each node had a single address. Since the RFC 2401 SAs are indexed through <dest,SPI,proto>, you'll need _multiple_ SAs between two machines, even in one direction. So, your formula should be more like 2*M*N*(N-1) where M is the number of addresses per node. Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
