A method to prevent DoS in IPv6 DAD and Mobile IPv6

[Pekka Nikander <pekka.nikander@nomadiclab.com>]

A number of recent ID:s have shown a number of potential 
security deficiencies in the way IPsec is used in a number
of IPv6 signalling functions, including Duplicate Address
Detection (DAD) and Mobile IPv6 Binding Updates (BUs).  The
relevant drafts include the following.

   draft-arkko-icmpv6-ike-effects-00.txt
   draft-nikander-ipng-address-ownership-00.txt

The so called PBK-keys (draft-bradner-pbk-frame-00.txt)
attemts to solve the Mobile IPv6 related problem by
proposing a new class of identifiers, EIDs.  In some respects
that approach is similar to the HIP approach.

While thinking about the problem, an idea of using the IPv6
interface identifier as a cryptographic token appeared to me.
That is, by generating the interface identifier from components
using a cryptographic one-way function, one can "bind" the
interface identifier to the components, and the base security
on the components. 

The idea is very new, and comments are solicited.  Currently a
working copy of the forthcoming -00 drafts is available at

http://www.tml.hut.fi/~pnr/publications/draft-nikander-ipng-pbk-addresses-00.txt

I'll be working with the draft during my flights to Minneapolis,
posting is as soon as drafts are accepted again.  

There is currently a plan to discuss related issues at the Mobile IP 
WG meeting and the SAAG session on Thursday.

--Pekka Nikander
  Ericsson