[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Jean-Michel Combes jeanmichel.combes at gmail.com
Mon Sep 26 13:38:55 CEST 2011

Hi Fernando,

2011/9/25 Fernando Gont <fgont at si6networks.com>:
> Hi, Geoff,
> On 09/22/2011 04:45 PM, Geoff Huston wrote:
>> Actually, as far as I am aware the answer is yes, RPKI can be used to
>> support EE certs issued to routers, or at least that was the
>> intention back in 2009 when we were working on the RPKI and SEND
>> documents in the IETF.
> Even with this in place, I don't see how this would make SEND deployment
> easier for an edge network.
> Are e.g. home/organisational networks expected to receive a certificate
> from their ISPs such that they can use SEND as a mitigation for ND-based
> attacks?

<ISP hat on>
Yes, could be the case.
Now, IMHO, still missing tools do to this: we have already PD with
DHCPv6 but we would need something to provide, dynamically too, the
associated certs (e.g., draft-popoviciu-dhc-certificate-opt).
<ISP hat off>

Best regards.


> Leveraging RPKI might make sense for some carrier/ISP networks, but I
> can't see how that would ease SEND deployment for the general case.
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list