[radvd-devel-l] RA, RS Security

Pekka Savola radvd-devel-l@litech.org
Wed, 17 Apr 2002 12:55:46 +0300 (EEST)


On Wed, 17 Apr 2002, Yann KLIS wrote:
> Is there any plan to ensure security on RA (or RS) ? ie, will radvd be
> able to put AH extension header on RA so that only hosts which know how
> to decode this AH packet will be able to autoconfigure and communicate
> on the Inthernet ?
> Is it, at least, possible ? Is there any documentation on such security
> problems ?

This hasn't really been considered.  IPSECv6 isn't really all that
available for Linux yet.  In any case, securing messages should also be
doable in the kernel; as a genereal case, no application support should
usually be necessary.

In any case, securing RA/RS will be really problematic as the security
associations would have to be manually keyed (e.g. to solicited multicast
addresses).  See this for more details on problems:

http://www.ietf.org/internet-drafts/draft-kempf-ipng-netaccess-threats-00.txt

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords