On Thu, 13 Jun 2002, Jari Arkko wrote: > Bill Sommerfeld wrote: > > > > Using AH/ESP to protect ND works fine once the SA's exist. > > > > However, there's a chicken & egg problem if you want to use IKE, and > > manually configuring N*(N-1) SA's across N machines on the link is not > > deployable. > > > Actually, it's worse. ND uses e.g. the solicited node multicast > address and the unicast address -- even if each node had a single > address. Since the RFC 2401 SAs are indexed through <dest,SPI,proto>, > you'll need _multiple_ SAs between two machines, even in one > direction. So, your formula should be more like 2*M*N*(N-1) where > M is the number of addresses per node.
I'm only grasping at straws here, but the logical approach at keying would be requiring manual keying with a router in the subnet, through which the rest of the keys would then be negotiated (somehow). Even that may be unscalable, but manually keying like 2-4 keys is may be problematic also, but that might be workable. There are some issues here (like when performing DAD for link-locals, and someone telling that address is already in use, verifying whether that is legit or not as one has not been able to contact the router yet) though. I haven't really thought about this enough, but I wonder if anyone else has tried to follow this path, and seen where it leads. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
