Why allow… (security) How does authenticating first, giving IP address later help? In physically secured links: Client ID is known and bound to the link after PANA. (when attack is detected, attacker can be identified) L2-ciphered prior to PANA: Attacker identification. L2-ciphered after PANA: Attacker identification. IPsec-based access control: Secure dhcp: draft-tschofenig-pana-bootstrap-rfc3118-00.txt Still need secure DAD… PANA SA might help SEND.. (a non-CGA-based scheme? For IPv4 too?) No straight forward benefit of configuring IP after PANA. |