>But isn't there a simple attack in which the attacker sends an >NA message out with the victim's link layer address in the >option but its own address on the frame? Naturally, if the >link layer allows the attacker to send out frames under a >false address, it could fully spoof the victim as well.
Yes but it will be found out with first packet to that node because it will not be delivered and time out and removed from the cache of the victim worst case. Best case the disconnect between Ehterlike (*) and IP layer will catch it immediately. But it is a clear DOS and can happen in ARP, ES-IS, et al. I would argue if this is a problem then IPsec can be used before ICMP in ND. And this has been implemented by some. I would think most SA verification code happens at the IP layer when the packet is received by routine like ip_input (v4 or v6) and IPsec mandates all packets be checked for SA. Now a bad person could still do this with IPsec if they got the key, received authorization from the authority etc. But there will be no perfect security ever IMO. The other point is except for the mobile nodes roaming the link is secure at layer -0 (the link in the building and your not allowed in the building without an identification per the armed guards). But for public links this is an issue and for wireless nodes but that is the work for SEND to do is my belief. I think you need to look at using IPsec as one method. But redefining the ND or Addrconf architecture should not be in the SEND charter. Regards, /jim -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
