Hi James, > -----Original Message----- > From: James Kempf [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 13, 2002 1:21 PM > To: Bound, Jim; [EMAIL PROTECTED] > Subject: Re: Securing Neighbor Discovery BOF > > > Hi Jim, > > > What is the point of this meeting. We have so many > meetings to go to. > > > > Just turn on IPsec whats not in ND to support this? > > > > What problem are you trying to solve? > > > > IPsec works for ND? > > > > We are interested in discussing how to secure IPv6 Neighbor > Discovery in > a way that would work well for public access networks (but not > exclusively confined to that).
So your talking about either coming on a public link or over PPP and there is ND and you want IPsec right? If so just use IPsec? I still don't know what your missing. If you mean folks don't like the keying or have not figured that out I agree. But then it is a misnomer to say it is an IPsec problem. It is an IPsec Keying problem and this is a different statement. IPsec does work over ND. > > RFC 2461 specifies that IPsec should be used to secure the signaling > involved in ND, but does not provide any details about how this should > be done, and, specifically, how key distribution would be done. IKE > won't work because it requires ND so there is a bootstrapping problem. > Manual keying would work for a small private network, and > possibly even > for a larger enterprise network, but it would be extremely > inconvenient > for public access networks. There have also been some proposals to use > other security protocols rather than IPsec for ND security. OK so it is a Keying problem. We as architects have very important responsiblity here.k Saying in public mail "IPsec don't work on ND" is bad thing. Keying is of course an issue and all of us who have implemented IPsec are well aware of this issue and real time in the market place. We work around it via 3rd party Certificate Keying ISVs in that business and get the job done. Once that happens it works for ND and other parts of IPv6. Yes I can see AAA working and advantages of PANA exactly for this purpose for sure as an alternative solution. And probably will perform better IMO. (unless IPsec and keys can be downloaded to a smartcard or net processor). > > The immediate need for this work comes out of plans by ISPs, > especially > in Asia, to deploy public access IPv6 wireless networks (NTT > Communications is running a prototype deployment in Kyoto at the > moment). While the problem of ND security is not, in principle, any > better or worse with wireless than with wireline, current > wireline links > tend to have less of a problem because they typically are > point to point > rather than multi-access, so the issue doesn't arise, though it might > also be a problem with wireline multi-access links that do > not use PPPoE > or other solutions to make the link look point to point. Agreed and I would also argue it needs to work between wireline and wireless as the user sticks their handheld back in the docking station at work or home. > > If you are interested in the potential threats, I'd suggest reading > draft-kempf-netaccess-threats-01.txt, which I've just > resubmitted to the > Internet drafts editor (it had timed out in April), and if you have > something specific you would like to speak about, please let either > Pekka or myself know. Well you know me James I am very secure individual and think the paranoid have way to much influence over our technology :---) But I will read this spec on my todo list as a professional and if have questions will get back to you privately or Pekka or both. thanks /jim > > jak > > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
