Re: SEND IDs [Re: Comments on draft-nordmark-multi6-threats-01]

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 9-jun-04, at 11:55, Jari Arkko wrote:

> Nevertheless, we also explained to Iljitsch how SEND CGA
> addresses can be extended, and how such extensions could
> in future be used to create addresses that are based on
> CGA but still have the same IID part. Basically, we can
> add arbitrary data to the input of the CGA generation,
> and this could be used to include all the prefixes of
> a host or site in the address. We also explained that
> this approach would still have a lot of not-so-trivial
> details to worry about, including what to do when prefixes
> get deprecated or new ones are added.

I think there was some confusion about all of this on the SEND list, as 
this was never the approach I advocated, as this makes everything more 
complex which is never good in general and especially in the area of 
security.

What I wanted was to allow the use of any on-link prefix in the CGA 
generation. So if a link has prefixes A and B, and a host generates a 
CGA interface identifier using prefix A, the host gets to use this same 
interface identifier to create an address with prefix B. I don't see 
how this hurts anyone who isn't interested in this, but it would allow 
switching prefixes and maintaining the lower 64 bits without breaking 
CGA. Still, we don't know if that's something that's required, so the 
whole thing may turn out to be moot anyway when we decide on a multi6 
mechanism.