This might belong to IPSEC list, but just give a concrete idea about it, here is a solution sketch...
Securing ND with existing IPSEC (kernel) only needs to agree on specific SPI to use and, assuming a special key management daemon, which would do the following tasks - inputs "lan key from as configuration". All generated SA's use this (or something derived from it deterministically) - automaticly installs following SA's 1) one SA for well known multicast addresses: spi=1 dst=ff02::1 src=any protocol=any spi=1 dst=ff02::2 src=any protocol=any 2) one SA for each own address and solicited node address: spi=1 dst=myaddress, src=any, protocol=any spi=1 dst=solicitednode, src=any, protocol=any - when kernel IPSEC asks a specific SA with dst= link local (unicast or multicast), src=any, protocol=any, it installs: spi=1 dst=requested-dst src=any protocol=any then the following security policy is sufficient to protect all ND discovery and all link local traffic for good measure. ff02/16 -> use ESP (src=any, protocol=any) fe80/10 -> use ESP (src=any, protocol=any) For example, when link comes up, system would need to send RS, thus it matches the multicast destination policy actually and the preinstalled SA spi=1 dst=ff02::2 src=any protocol=any Note, that the SA's with multicast dst can be used both incoming and outgoing. When kernel needs to send neighbor solicitation, the solicited node destination matches the policy and appropriate SA is requested from the special key management. At least it would work this way with my IPSEC :-). Only the "special key management" needs to be written. Doesn't look too difficult to me. The end result would be "multiple virtual lans" on the same physical media (ethernet, wlan). Only those nodes with same configured key would see each other. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------