[radvd-devel-l] RA, RS Security
Pekka Savola
radvd-devel-l@litech.org
Wed, 17 Apr 2002 12:55:46 +0300 (EEST)
On Wed, 17 Apr 2002, Yann KLIS wrote:
> Is there any plan to ensure security on RA (or RS) ? ie, will radvd be
> able to put AH extension header on RA so that only hosts which know how
> to decode this AH packet will be able to autoconfigure and communicate
> on the Inthernet ?
> Is it, at least, possible ? Is there any documentation on such security
> problems ?
This hasn't really been considered. IPSECv6 isn't really all that
available for Linux yet. In any case, securing messages should also be
doable in the kernel; as a genereal case, no application support should
usually be necessary.
In any case, securing RA/RS will be really problematic as the security
associations would have to be manually keyed (e.g. to solicited multicast
addresses). See this for more details on problems:
http://www.ietf.org/internet-drafts/draft-kempf-ipng-netaccess-threats-00.txt
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords