Re: Securing Neighbor Discovery

Wed, 13 Mar 2002 12:40:46 -0800 

This might belong to IPSEC list, but just give a concrete idea about
it, here is a solution sketch...

Securing ND with existing IPSEC (kernel) only needs to agree on
specific SPI to use and, assuming a special key management daemon,
which would do the following tasks

 - inputs "lan key from as configuration". All generated SA's use this
   (or something derived from it deterministically)

 - automaticly installs following SA's

   1) one SA for well known multicast addresses:

      spi=1 dst=ff02::1 src=any protocol=any
      spi=1 dst=ff02::2 src=any protocol=any

   2) one SA for each own address and solicited node address:

      spi=1 dst=myaddress, src=any, protocol=any
      spi=1 dst=solicitednode, src=any, protocol=any

 - when kernel IPSEC asks a specific SA with dst= link local (unicast
   or multicast), src=any, protocol=any, it installs:

      spi=1 dst=requested-dst src=any protocol=any

then the following security policy is sufficient to protect all ND
discovery and all link local traffic for good measure.

   ff02/16 -> use ESP (src=any, protocol=any)
   fe80/10 -> use ESP (src=any, protocol=any)

For example, when link comes up, system would need to send RS, thus it
matches the multicast destination policy actually and the preinstalled
SA

   spi=1 dst=ff02::2 src=any protocol=any

Note, that the SA's with multicast dst can be used both incoming and
outgoing.

When kernel needs to send neighbor solicitation, the solicited node
destination matches the policy and appropriate SA is requested from
the special key management.

At least it would work this way with my IPSEC :-). Only the "special
key management" needs to be written. Doesn't look too difficult to me.

The end result would be "multiple virtual lans" on the same physical
media (ethernet, wlan). Only those nodes with same configured key
would see each other.

--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------

Reply via email to