In your previous mail you wrote: For reference, the full text of (the candidate of) new revision is available at: http://www.jinmei.org/draft-ietf-ipv6-scoping-arch-02rc1.txt > Steve Bellovin: > Discuss: > [2004-07-06] The Security Considerations section should note that the > ambiguity of addresses means that unqualified source IP addresses > cannot safely be used in security contexts such as ACLs or IKE > negotiation. Proposed resolution: add the following paragraph at the head of security considerations section: The ambiguity of limited scope addresses has security implications. In particular, unqualified source IP addresses regarding their scope cannot safely be used in security contexts such as access control lists or key negotiations for IP security. => IMHO the proposed resolution is not enough accurate: there is a real issue with scoped addresses and IKE which is not really addressed. It has been known since many years, I remember some message exchanges with Itojun about this (I proposed a fix for racoon, the KAME IKE implementation). Fortunately I have a text about this issue in my MIPv6/IPsec framework draft which I translated to xml two days ago in order to refresh it... I put it as it is at the end of this message.
Regards [EMAIL PROTECTED] PS: please ask if you need help to understand my text or to adapt it to your draft. PPS: some details: - the original text is pretty old (feb 2002) - the SCOPING reference is the scoping architecture draft - the term partition comes from mathematics <section anchor="scoped" title="Scoped Addresses"> <t> This topics is not really a Mobile IPv6 one, but in practice the "mobile VPN" case there is a heavy usage of limited scope or private addresses. </t> <t> The issue is that addresses carried in identity or traffic selector payloads are not clothed with zone identifiers. Only the peer addresses used to transport messages have an indirect indication of their zones. </t> <t> The IPv6 address architecture <xref target="SCOPING" /> gives the properties of zones: at a given scope, zones formed a partition, i.e., an interface belongs to one and only one zone. They have an inclusion property too, i.e., a zone of a given scope is fully included into a zone of any higher scope. This gives an inheritance property which is safe when it is used in the proper way: to establish SAs with global addresses with IKE running over link-local addresses is safe, the opposite is not. </t> <t> <iref item="RULE" subitem="" /> RULE: The default policy SHOULD accept scoped addresses as selectors of SAs only when they are established using peer addresses (for the transport of IKE/IKEv2/etc messages) which are in fully included zones. </t> </section> -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------