Rémi Denis-Courmont wrote:
IIRC, the DoCoMo implementation is basically a proof-of-concept-grade hack. It works with user-space packet filtering hooks, instead of being built into the real IPv6 neighbor discovery code. SeND is theoretically not easy to deploy - you need to provision cryptography material on all nodes. That implementations are not even properly integrated into operating systems makes it worse. I somewhat expect that somewhat secure networks will use network-side filtering as is done for ARP instead, as it requires no host-side changes.
DoCoMo's implementation is not properly integrated into operating systems, but IMO that is not the case with other implementations. As you have mentioned, DoCoMo's SeND uses Berkley Packet Filter to divert SeND traffic from kernel to a userland daemon, and vice versa; which means that (1) all network traffic (both SeND and non-SeND) has to traverse through the filter and (2) netgraph subsystems (that is not available in all operating systems). But this will be fixed soon -- the implementation that i am working on, within the FreeBSD community, will introduce the native kernel APIs for SeND for *BSDs. The code will be partially built into the real ND code in kernel, except part of the cryptographic processing that will remain in the user land.
What i am trying to say is that there are serious SeND implementations. IMO, we just lack for the interoperability testing results.
Ana -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
