I have three concerns about this CGA/KBA idea: - first this idea is about interface IDs, not addresses (so for Mobile IPv6 we need Return Routability too). Kempf's I-D about neighbor discovery is about real addresses and ABK (address based keys) which has not this and the last concerns. - second the verification implies an expensive crypto operation (typically a signature check) so the scheme is subject to trival DoS attack, especially if each packet has to be checked (so or a session key is negociated with an even more expensive and complex protocol, or the use of CGA/KBA is very limited). - last I don't believe you can manage real trust with only one bit and if you need more bits to negociate someting the IPv6 address will become quickly too small. IMHO this is a dead-end. And please apply some "commercial" considerations to this kind of schemes: if the burden is for someone and the benefit is for another one, this shall never work in the real world.
Regards [EMAIL PROTECTED] PS: Dave, this message has nothing to do with you... -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
