[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Arturo Servin aservin at lacnic.net
Thu Sep 22 20:45:27 CEST 2011


On 22 Sep 2011, at 15:31, Jean-Michel Combes wrote:

> Hi Arturo,
> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>> Jean,
>> On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:
>>> Hi Fernando,
>>> At first thanks for the slides! Great job summarizing the state of the
>>> art about IPv6 security!
>>> Now, I have comments:
>>> -  Address resolution
>>> "SEND is very difficult to deploy (it requires a PKI)"
>>> AFAIK, you don't need a PKI. CGA is enough to secure NS/NA exchanges.
>>> Now, the main issue, IMHO, is hard-coded crypto algorithms: SHA-1,
>>> that should be replaced by the future SHA-3, and RSA, which is not
>>> very well adapted to constrained devices like sensors.
>>> - Auto-configuration
>>> "SEND is very difficult to deploy (it requires a PKI)"
>>> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
>>> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
>>> http://www.rpki.net for ARIN) and openssl already allows to generate
>>> the needed certificates. Now I agree there is still work to deploy
>>> this technology in product networks.
>>   I think your are mixing concepts. RPKI does have to do anything with SEND.
> Please, read the draft

	Which one, there are like 10.  

> and you should see the relationship with SIDR
> WG works and so RPKI.

	The only common thing between RPKI and SEND is that both use PKI. No more.

	I do not see your point to bring up RPKI and RIR work along with SEND. I just cannot find the connection (besides that both are PKIs).


More information about the Ipv6hackers mailing list