Re: Node Requirements: Issue 13 - CGA/SeND support

[Hesham Soliman <hesham at elevatemobile.com>]

Hi John, 
 I think it needs to be a should.

Hesham

> Hesham,
> 
> I agree with you, the Node cannot know this, it can only do the right thing
> once the SeND process starts. Do people feel that SeND should be a basic
> feature of IPv6 that all nodes SHOULD support?
> 
> John 
> 
> -----Original Message-----
> From: ipv6-bounces at ietf.org [mailto:ipv6-bounces at ietf.org] On Behalf Of ext
> Hesham Soliman
> Sent: Wednesday, July 22, 2009 11:46 PM
> To: Laganier, Julien; Thomas Narten; ipv6 at ietf.org
> Subject: Re: Node Requirements: Issue 13 - CGA/SeND support
> 
> Looks good in general, but I'm not sure if the host can always determine the
> nature of the link or the level of security available on that link. It can
> probably infer (sometimes inaccurately) but it's not laways possible to know.
> 
> I agree with the SHOULDs and the intention of the MAY, I just don't know if a
> host knows enough to decide about the MAY.
> 
> Hesham
> 
> 
> On 23/07/09 12:59 PM, "Laganier, Julien" <julienl at qualcomm.com> wrote:
> 
>> Just for the sake of getting the discussion started, I drafted some
>> text we can discuss:
>>  
>>    Secure Neighbor Discovery [RFC3971] SHOULD be supported.  [RFC4861]
>> states:
>> 
>>       Cryptographic security mechanisms for Neighbor Discovery are outside
>>       the scope of this document and are defined in [RFC3971].
>> 
>>    Secure Neighbor Discovery [RFC3971] SHOULD be used when physical security
>>    on the link is not assured.  [RFC3971] states:
>> 
>>       The SEND protocol is designed to counter the threats to NDP.  These
>>       threats are described in detail in [22].  SEND is applicable in
>>       environments where physical security on the link is not assured (such
>>       as over wireless) and attacks on NDP are a concern.
>> 
>>    Secure Neighbor Discovery [RFC3971] MAY be disabled when the link is
>>    point-to-point and link-layer security is assured, including mutual
>>    authentication of the link end-points and data origin integrity
>> protection.
>> 
>> What do you think?
>> 
>> --julien
>> 
>> 
>>> -----Original Message-----
>>> From: ipv6-bounces at ietf.org [mailto:ipv6-bounces at ietf.org] On Behalf
>>> Of Thomas Narten
>>> Sent: Tuesday, July 21, 2009 2:36 PM
>>> To: ipv6 at ietf.org
>>> Subject: Node Requirements: Issue 13 - CGA/SeND support
>>> 
>>> Tim Chown <tjc at ecs.soton.ac.uk> writes:
>>> 
>>>> What about CGA/SeND support?  I can't see any reference to this
>>>> currently.   Should there be?   It's often waved as the answer to
>>>> make rogue RAs 'go away', so perhaps we should.
>>> 
>>> I agree we need to have a section that addresses this topic.
>>> 
>>> If no one suggests text, I'll take a stab.
>>> 
>>> Thomas
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6 at ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6 at ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6 at ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6 at ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------