Re: SEND IDs [Re: Comments on draft-nordmark-multi6-threats-01]

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 9-jun-04, at 10:52, Brian E Carpenter wrote:

> > On a related note: the SEND CGA stuff mandates using the subnet 
> > prefix in creating the interface identifier and as such makes it 
> > impossible to have the same interface identifier in different 
> > subnets. I was unable to convince them of the error of their ways and 
> > apparently there was no IETF last call or I missed it so now this 
> > stupidity is an RFC. We should do our best to make sure there isn't 
> > any more of this.

> I happen to agree with you and disagree with Christian - there should
> be a mode in SEND in which the CGA address is generated without 
> including
> the (typically /48) prefix which will vary between ISPs when 
> multihomed.

> For multi6, I believe we should not feel constrained by this. It would
> be a fairly simple extension to SEND to allow this, and it might be
> a very valuable functionality vs security tradeoff for a multihomed
> site that wanted to run SEND.

My idea exactly. However, I find it very unfortunate that something 
which has a fairly obvious flaw is published as an RFC. It seems to me 
the IETF is spending inordinate amounts of time on fixing problems that 
shouldn't have gotten that far  in the publication cycle in the first 
place. (I shouldn't have used the word "stupidity", though.)

But let's get our own stuff in order first...