[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addition of TLV to locator ID or locator ID set




Right, and the protocol we have for key data exchange is IKE.

Well... not really. I at least tend to think of security problems
as somewhat application specific. We've certainly tried on many
occasions to use an underlying IPsec/IKE security model to do
things beyond basic VPN. However, in my experience this
has most often failed. See http://www.arkko.com/publications/SWP03.pdf
for a discussion of some of these cases.

At which point you may possibly just want to use IPSec AH to secure the traffic. Would I be correct in thinking that only advantage CGA for such off-link authentication would be saving packet-data overhead of the AH header?

No. There were, in fact, a number of other fundamental issues that
led to the selection of CGA-in-ND-options approach in SEND over
AH-enhanced-with-CGA. These issues had to do with the
division of work within a stack, the expressive power of policy
entries, co-existence with non-SEND devices, mismatch between
provided and expected models (e.g. number of parties), and so
on.

--Jari