In your previous mail you wrote: > PPS: with respect to security there's ongoing discussion on Mobile IP, > around a novel method to generate addresses (Computationally > Generated Addresses). > > => there is no reason to avoid DAD on CGAs: CGAs and RFC 3041 are > not different. First, I find CGA (Computationally Generated Addresses) mechanisms to have valuable IP security properties and are probably exploitable in some contexts. => I agree, CGA have only two drawbacks: IPR (grrr!) and they are not for free (i.e. they involve some crypto operations).
Is it reasonable to ask two distanced MN's to verify they haven't generated same CGA Interface ID? => DAD is a link operation. For clarification, I was suggesting that since IPv6 as is doesn't rely on mathematical uniqueness of random bits in Interface ID's, but enforces it with DAD, then it would seem natural that CGA mechanisms don't rely on that uniqueness either and should test it somehow. If I understand CGA mechanisms correctly, there's a low probability (ok, extremely low) for CGA'ed Interface ID's to collide. Those Interface ID's are not on the same subnet, different prefixes, DAD won't find collisions. The security verification of those CGA'ed Interface ID's happens at the Correspondent Node, against attacker MN's. => I believe you've mixed in a confusing way the uniqueness of an address/IID on a link (guaranteed by DAD) and the uniqueness of a CGA from the security point of view. They are very different questions. Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
