Hi Dong,
Can the mix of ND and SeND in a same link be a common case? I mean
if this happens, how to handle the NA/NS between SeND node and non-
SeND node?
SEND/non-SEND interoperation is dealt with extensively in RFC3971.
It does make sense to have a mix of nodes on the LAN, and this allows
incremental security deployment.
The following preflevel values have been identified (from lowest to
highest):
o LLA_MAC_MATCH: LLA (found in NDP option) and MAC (found at layer2)
are identical;
o TRUNK_PORT: the entry was learnt from a trunk port (connected to
another switch)
o ACCESS_PORT: the entry was leant from an access port (connected to
a host)
o TRUSTED_ACCESS: The entry was learnt from a trusted port
o TRUSTED_TRUNK: The entry was learnt from a trusted trunk
o DHCP_ASSIGNED: the entry is assigned by DHCP
o CGA_AUTHENTICATED: The entry is CGA authenticated, per [RFC3972]
o CERT_AUTHENTICATED: the entry is authenticated with a certificate
o STATIC: this is a statically configured entry per [RFC3971].
Then what about ACCESS_PORT+DHCP_ASSIGNED and
TRUNK_PORT+CGA_AUTHENTICATED, which is bigger?
I think there will be some different cases and combinations of the
preflevel
values. Is it necessary and possible to list every case, giving
particular
illustration? Then it will be much more clear. Perhaps I might miss
something.
Since the bindings identify the level of authority attained about the
address mapping, only the highest of these should be considered.
The presence of CGA_AUTHENTICATED means the higher level of
certification
which has been attained by the binding. This would supercede a
previous
(or contemporary) binding of TRUNK_PORT. Therefore the binding state
would
be CGA_AUTHENTICATED.
Similarly, with ACCESS_PORT+DHCP_ASSIGNED, the DHCP assignment is a
control process which can be authenticated and is specified by a server.
This has more authority than the ACCESS_PORT binding. Therefore this
binding's state is DHCP_ASSIGNED.
Comparison of these bindings therefore becomes simpler: DHCP_ASSIGNED vs
CGA_AUTHENTICATED
Perhaps some clarifying words could be put into the draft?
I guess so. If this was not crystal clear in the current writing, it
means I need to clarify. You got it allright though,
Please note that an address binding can be both CGA Authenticated and
DHCPv6 assigned, since
a node can propose its address in DHCPv6 based on known address
prefixes. In this case,
the fact that the device can perform SEND CGA Auth on the address lends
more authority to the
binding (giving CGA_AUTHENTICATED) state.
Sincerely,
Greg Daley
Security Consultant
NetStar Australia Pty Ltd
E-mail: gdaley at netstarnetworks.com
Mobile: +61 401 772 770
Direct: +61 3 8532 4042
Fax: +61 3 8532 4032