[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Arturo Servin
aservin at lacnic.net
Thu Sep 22 20:45:27 CEST 2011
Jean,
On 22 Sep 2011, at 15:31, Jean-Michel Combes wrote:
> Hi Arturo,
>
> 2011/9/22 Arturo Servin <aservin at lacnic.net>:
>> Jean,
>>
>> On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:
>>
>>> Hi Fernando,
>>>
>>> At first thanks for the slides! Great job summarizing the state of the
>>> art about IPv6 security!
>>>
>>> Now, I have comments:
>>> - Address resolution
>>> "SEND is very difficult to deploy (it requires a PKI)"
>>> AFAIK, you don't need a PKI. CGA is enough to secure NS/NA exchanges.
>>> Now, the main issue, IMHO, is hard-coded crypto algorithms: SHA-1,
>>> that should be replaced by the future SHA-3, and RSA, which is not
>>> very well adapted to constrained devices like sensors.
>>> - Auto-configuration
>>> "SEND is very difficult to deploy (it requires a PKI)"
>>> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
>>> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
>>> http://www.rpki.net for ARIN) and openssl already allows to generate
>>> the needed certificates. Now I agree there is still work to deploy
>>> this technology in product networks.
>>
>> I think your are mixing concepts. RPKI does have to do anything with SEND.
>
> Please, read the draft
Which one, there are like 10.
> and you should see the relationship with SIDR
> WG works and so RPKI.
The only common thing between RPKI and SEND is that both use PKI. No more.
I do not see your point to bring up RPKI and RIR work along with SEND. I just cannot find the connection (besides that both are PKIs).
.as
More information about the Ipv6hackers
mailing list