Jari, > > > But it is a clear DOS and can happen in ARP, ES-IS, et al. I would > > argue if this is a problem then IPsec can be used before > ICMP in ND. > > And this has been implemented by some. I would think most SA > > verification code happens at the IP layer when the packet > is received > > by routine like ip_input (v4 or v6) and IPsec mandates all > packets be > > checked for SA. > > Yes, though you run into a couple of practical problems when > you actually try to do this, namely problems getting IKE to > run before you can send UDP packets, and the relatively large > number of manual SAs if manual keying is used (2*n+2 SAs per > node where n is the number of interface ids on the network, > or something like that).
The IKE UDP issue is only an implementation issue the spec works. We have known this about manual keying since the beginnning. IPsec will work and with IKE. > > > The other point is except for the mobile nodes roaming the link is > > secure at layer -0 (the link in the building and your not > allowed in > > the building without an identification per the armed > guards). But for > > public links this is an issue and for wireless nodes but > that is the > > work for SEND to do is my belief. I think you need to look > at using > > IPsec as one method. But redefining the ND or Addrconf architecture > > should not be in the SEND charter. > > Exactly, so that's why SEND is actually trying to use IPsec > and Pekka is asking clarifications on why certain things are > like they are in ND. We are working on the problems mentioned > above. Work still remains, as you can see one of the issues > we are thinking about is the relevance of link layer > addresses and what checks are necessary or possible. Clarification is good. Was the spec not clear? /jim -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
