So, thinking some more about it, I have this nasty feeling about the
usefulness of SEND. Compare the two topologies:
Host-A <---> learning bridge <---> Host-B
Host-A <---> ND-Proxy <---> Host-B
SEND will work just fine with the learning bridge topology, but will not
work with the ND-Proxy topology. Yet, do you really believe that one is
inherently more secure than the other? Learning bridges can do all kinds
of interesting tricks, in fact more so than proxies.
SEND secures the mapping between an IPv6 address and a MAC address, but
it does nothing to guarantee that the L2 topology actually delivers the
packets to the intended destination. When we expand all that energy
signing neighbor discovery packets, have we really improved security?
-- Christian Huitema
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
