Jari, > [...] > > > > > Sharing the same link-local address on different MAGs would > > require all MAGs of a PMIPv6 domain to construct the CGA and the > > RSA Signature option with the same public-private key pair, which > > is not acceptable from a security point of view. > > > > AFAIK there is no requirement that routers construct CGAs.
If the router does not construct a CGA it will not be able to send secure Neighbor Advertisement messages for its own address, as per RFC3971: Neighbor Solicitation and Advertisement messages without the CGA option MUST be treated as unsecured Since the router does need to send Neighbor Advertisements for its own address whenever a host on the link initiates Neighbor Unreachability Detection, it seems to me that there is indeed a requirement that a router constructs a CGA as per RFC3971. I am missing something? --julien _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
