Hi Suresh, Sorry but some points are unclear for me.
At first, what are assumptions you have regarding the MN? >From my point of view, the MN is able to use SEND: in using either CGA or a cert linked to its address. Is it the same assumption for you because I am not sure this is the case? :) Second point, if the MN have a CGA, how does the ND Proxy get the cert which will allow it to sign the NDP signaling instead of the MN? Last point, if the MN have a cert linked to its address, how does this cert is provided to the MN? Thanks for your help. Cheers. JMC. 2008/6/18, Suresh Krishnan <[EMAIL PROTECTED]>: > Hi Jean-Michel, > Please see comments inline > > Jean-Michel Combes wrote: > > > Hi Julien, > > > > 2008/6/12, Julien Laganier <[EMAIL PROTECTED]>: > > > > > Hello Jean-Michel, > > > > > > > > > On Saturday 07 June 2008, Jean-Michel Combes wrote: > > > > Hi, > > > > > > > > After a quick review, I have one comment and one question: > > > > - IMHO, your solution should work too with anycast addresses case > > > > > > > > > It seems so. It also seems it would work to secure NS/NA exchange based > > > on certificates rather than CGA. > > > > > > > Not sure that certs defined in krishnan-cgaext-send-cert-eku are well > > adapted for such a use: IMHO, prefix ownership is not the same as > > address ownership. > > > > Why not :-)? If the IP address in the certificate is a /128 and the EKU > value is "owner" (or some variant of this), these certificates can be used > for address ownership. > > > > > > > > > To achieve that it would also be > > > necessary to define another EKU (extended key usage) for "Address > > > ownership", in addition to "Router" and "Proxy". > > > > > > > But what is in the cert when you want to use it to proxy NS/NA? An > > address or a prefix? > > > > The /128 address of the node with eku value of "owner" > > > > > > > > > > > > > - How will a ND-Proxy get the certificate authorizing it to act as an > > > > ND-Proxy? > > > > > > > > > In the same fashion that a Router gets the certificate authorizing it to > > > act as a router. > > > > > > > May I have details in the case of the MIPv6 scenario? Specially, who > > does provide the cert? > > > > In very basic terms, the certificate is provided by anyone the MN that the > MN trusts. e.g. this could be the mobility service provider. > > Cheers > Suresh > _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
