Subject: Re: IPv6 Router Renumbering
To: Feico Dillema <firstname.lastname@example.org>
From: None <email@example.com>
Date: 07/18/2000 06:20:34
>> again, it is next to impossible to configure it in secure manner,
>> due to ipsec configuration twist (multicast ipsec is almost
>> impractical, site-local IPv6 routing is also impractical, router
>> renumbering requires BOTH!). i just do not feel like putting it
>> into the tree.
>Ah, I didn't know (remember) that it depended on site-local routing.
>That sounds bad to me too; there isn't much consenses on the
>site-local routing issue in the IETF groups yet, or is there?
not very much.
>Why is multicast ipsec impractical (never looked at it, so am
>ignorant on it). Is it a configuration nightmare (is it fundamentally
>different than for unicast IPSEC?), or is it impractical
>from a security perspective (one compromised router, compromises all
it is (1) key distribution issue (no automated key distribution
mechanism), (2) support issue (not many routers do IPv6 IPsec - yet),
and finally (3) ipsec-over-multicast itself is not documented well
(if not at all).
due to key distribution issue, you'd need to configure ipsec manual
keys into all routers.
>Wouldn't it be feasible to have a renumbering protocol
>based on global-address unicast only. It may be a bit less functional,
>but more practical and I'd think sufficient for *re*-numbering
>(instead of also for bootstrap auto-configuration).
please speak up in ipngwg, i did not define it :-)
if we use global unicast,
(1) outsiders can transmit you a router renumbering command messages
(2) during the renumbering process, you will remove global address
from ISP A and add one from ISP B. if you remove A first,
you will be hosed (and it is possible to do)
(3) how can we maintain list of routers address?