[101279] in North American Network Operators' Group
Re: v6 subnet size for DSL & leased line customers
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Wed Dec 26 15:22:53 2007
Cc: Leo Bicknell <bicknell@ufp.org>,
North American Network Operators Group <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
To: Tony Li <tony.li@tony.li>
In-Reply-To: <F1934DCA-E88A-43C4-B517-E12EE368086E@tony.li>
Date: Wed, 26 Dec 2007 21:19:54 +0100
Errors-To: owner-nanog@merit.edu
On 26 dec 2007, at 19:22, Tony Li wrote:
> This doesn't resolve the real underlying problem: Ethernet is
> inherently insecure. MAC addresses can be forged, protocols (ARP,
> ND) can be forged and at this point, there's not much that we can do
> about it. Architecturally, we need authentication over each and
> every control plane packet sent. Getting there without invoking the
> full complexity of a public key infrastructure is still an unsolved
> problem, AFAIK.
Actually, for this particular purpose, this is mostly a solved
problem, although there is of course no free lunch.
Many switches can enforce a MAC/port relationship, so that MAC
addresses can't be spoofed.
Neighbor discovery and router advertisements can be secured with SEND
(SEcure Neighbor Discovery). This happens through CGAs,
cryptograpically generated addresses. Basically, the lower 64 bits of
the IPv6 address contains a hash over a public key. This makes it
possible to prove ownership over an address.
The not free part is that you need to configure certificates for trust
relationships = the routers that may be default gateways.
