[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: addition of TLV to locator ID or locator ID set
Right, and the protocol we have for key data exchange is IKE.
Well... not really. I at least tend to think of security problems
as somewhat application specific. We've certainly tried on many
occasions to use an underlying IPsec/IKE security model to do
things beyond basic VPN. However, in my experience this
has most often failed. See http://www.arkko.com/publications/SWP03.pdf
for a discussion of some of these cases.
At which point you may possibly just want to use IPSec AH to secure
the traffic. Would I be correct in thinking that only advantage CGA
for such off-link authentication would be saving packet-data overhead
of the AH header?
No. There were, in fact, a number of other fundamental issues that
led to the selection of CGA-in-ND-options approach in SEND over
AH-enhanced-with-CGA. These issues had to do with the
division of work within a stack, the expressive power of policy
entries, co-existence with non-SEND devices, mismatch between
provided and expected models (e.g. number of parties), and so