[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VRRP] SEND comments (was RE: DISCUSS and COMMENT: draft-ietf-vrrp-unified-spec)

For VRRP list comments
Steve 

[snipped]
> >In the context of IPv6 operation, if SEcure Neighbor 
> Discovery (SEND) 
> >[RFC3791] is deployed, VRRP authentication could be usefully added, 
> >because misconfiguration of secrets will not be an issue.  
> Routers with 
> >different secrets will have different IPv6 addresses, and therefore 
> >there will be no issue with multiple masters with the same
> >IPv6 (and MAC) addresses.  Also, SEND will prevent malicious routers 
> >from sending misleading ND messages.
> 
> Hmm. As an author of RFC 3971 it is not quite clear to me 
> what you mean above. First of all, no "secrets" are involved 
> in RFC 3971, only key pairs for CGA addresses. Secondly, it 
> is not required for routers to employ the CGA part of SEND; 
> in most cases I would expect the configuration of 
> certificates for prefix::1 or something like that.
> 
> Thirdly, I do not understand why there is no issue, because 
> the backup taking over, because then the backup has to 
> authoratively sign the NAs and RAs it is sending, for the 
> primary's address.
> If the "trust anchor and cga" mode from RFC 3971 is used, the 
> private key would have to be shared, or this would not work 
> at all. And private key sharing is not necessarily a good idea.
> 
> I would recommend saying this:
> - VRRP is compatible with "trust anchor" and "trust anchor or 
> cga" modes
>   of SEND
> - The configuration needs to give the two routers the same
>   prefix delegation in the certificates
> - But still, the routers should have their own key pairs
> 
> (Further modes are possible when the CSI WG gets some work done.)

Note, Christian's comments went under separate email thread. 

> 
> Comment:
> Christian Vogt's review:
> 
> - The document uses the acronym "IPvX" in order to refer to 
> both/either
>   IP version.  Since IPvX might be confused with the more prevalent
>   acronym IPX for Novell's Internetwork Packet Exchange protocol, I
>   would replace the occurrences of IPvX with either "IPv4 or IPv6", or
>   simply with "IP".
> 
> - In the figures illustrating sample configurations in 
> section 4, it is
>   not clear which IP address labels denote a host's own IP address vs.
>   which denote the IP address of the router that a host is using.
>   Both is currently denoted "IPvX A" in the figure.  Suggest
>   distinguishing the two types of labels more clearly.
> 
> 
_______________________________________________
vrrp mailing list
vrrp at ietf.org
https://www.ietf.org/mailman/listinfo/vrrp